Data Protection Aspects of Loyalty Schemes

Loyalty schemes are marketing strategies designed to encourage customers to continue to shop at or use the services of a business associated with the scheme. In such schemes, the operator typically sets up an account for a client of the business associated with the scheme, and then issues a loyalty card in plastic, paper or even electronic form, that identifies the cardholder as a participant in the program.

Loyalty schemes are quintessential tools in contemporary business marketing and are very commonly used in retail transactions. Given that they involve the systematic processing of large amounts of card-holders’ personal data, loyalty schemes are required to be designed and operated in line with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and national data protection laws.

Loyalty Schemes & Profiling

Profiling is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (article 4 § 4 of the GDPR).

According to its definition above, profiling is composed of three elements: (i) an automated form of processing; (ii) carried out on personal data; (iii) with the objective to evaluate personal aspects about a natural person (article 4 § 4 of the GDPR).

In most cases, data processing involved in loyalty schemes will fall within the scope of general profiling, i.e. profiling which does not necessarily result in automated decision – making.

The GDPR introduces the following provisions to ensure that profiling is not used in ways that have an unjustified impact on individuals’ rights (EDPB (2018). Guidelines on Automated Decision – Making and Profiling, https://ec.europa.eu/newsroom/article29/items/612053/en):

  • specific transparency and fairness requirements;
  • greater accountability obligations;
  • specified legal bases for the processing;
  • Rights for individuals to oppose profiling and specifically profiling for marketing; and
  • The need to carry out a data protection impact assessment.

The Data Subject’s Consent as Legal Basis for Loyalty Schemes’ Data Processing

Data processing involved in loyalty schemes may solely be based on the consent of the data subject, since participation in loyalty schemes cannot be deemed necessary for the performance of a contract with the data subject and the conditions of other legal bases of article 6 § 2 of the GDPR are not fulfilled.

The consent of the data subject as legal basis for the processing of personal data is basically regulated by the following statutory provisions of the GDPR and Greek Law 4624/2019 along with the relevant Guidelines of the Article 29 Working Party (“Art29WP”), the European Data Protection Board (“EDPB”) and the Greek Data Protection Authority (“DPA”):

The consent of the data subject, which is received by the Company, must have the following characteristics:

  • In advance: To be obtained before each processing activity.
  • Informed: When obtaining consent, to provide lawfully information to the data subject, including information about the data subject’s right to withdraw the consent at any time and the consequences of any withdrawal.
  • Easily Comprehensible: The request for consent as well as the relevant information to be made in a comprehensible and easily accessible form using clear and simple language.
  • Explicit: The consent to be given by a statement which includes clear positive action (silence, pre-ticked boxesorinactivity of the subject will not be considered as lawful consent).
  • Specific: Where processing of personal data is carried out for more processing activities/ purposes, consent to be requested and given for each of these actions separately.
  • Clearly Distinguishable: Tobesubmittedinsuchawaythat isclearlydistinctfrom other matters.
  • Freely Given: The consent to be the result of true or free choice of the data subject, namely to make it possible for the data subject to refuse or withdraw his consent without being harmed. When there is a clear imbalance of power between the data subject and the Company, as in the case of the Company’s employees, consent should be considered as free only exceptionally, when failure to obtain consent or its revocation does not have any implications to the data subject. Consent given in the context of performance of a contract, must not be a condition for the acceptance of terms or conditions for the performance of the contract or the provision of services related to it.
  • Recorded: To be provided either by written declaration (by electronic or digital means, provided that identification is possible) or by any oral recorded statement.
  • Withdrawn Freely and at any Time: The data subject is free to withdraw consent anytime, in the same easy, simple and effective way as the way in which the consent was given. Regarding the consequences of the withdrawal for data processing which is strictly necessary for the performance of a contact, the data subject must be informed that consent withdrawal gives the Company the right to terminate the contract. If the withdrawal of consent takes place pre-contractually, the Company has the right to refuse to conclude a contract.
  • Effectiveness of withdrawal: The Company shall have implemented appropriate measures to ensure that, in case of consent withdrawal, personal data processing ceases in real time and related systems immediately respond to it.

There is not any specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained. The EDPB recommends as a best practice that consent should be refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights (EDPB Guidelines 05/2020, p. 22).

Transparency of Processing in Loyalty Schemes

Apart from the categories of information stipulated in articles 13-14 of the GDPR, at the point of acquiring consent the Data Controller should explicitly stress out the following information to the data subject (See articles 13.2(f) and 14.2(g) of the GDPR and WP29, Guidelines on transparency under the GDPR, WP260, 28 November 2017, https://ec.europa.eu/newsroom/article29/items/622227/en):

  • The existence of profiling and, if this is the case, automated decision – making through the loyalty scheme (recital 60 of the GDPR);
  • Meaningful information about the logic used in the profiling; and
  • Meaningful information about the significance and envisaged consequences of such processing for the data subject.

In this context, the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.

Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data (see recital 60 of the GDPR).

Where the personal data are collected from other sources, the Data Controller should provide to the data subject the categories of information stipulated in article 14 of the GDPR.

Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling (see recital 60 of the GDPR). The Data Controller will need to find simple ways to tell the data subject about the rationale and criteria behind the profiling. The information provided does not necessarily require a complex explanation of the algorithms used or disclosure of the full algorithm. It should, however, be sufficiently comprehensive for the data subject to understand the ways s/he will be subject to profiling (EDPB (2018). Guidelines on Automated Decision – Making and Profiling, p.25, https://ec.europa.eu/newsroom/article29/items/612053/en).

This term suggests that information must be provided about intended or future processing, and how the automated decision-making might affect the data subject. In order to make this information meaningful and understandable, real, tangible examples of the type of possible effects should be given (EDPB (2018). Guidelines on Automated Decision – Making and Profiling, p.26, https://ec.europa.eu/newsroom/article29/items/612053/en).

Further Processing and Purpose Limitation

Data processed in loyalty schemes may derive from data that was originally collected for different purposes of processing, either from corporate databases or from external sources.

In this respect, the Data Controller is required to evaluate whether this additional processing is compatible with the original purposes for which the data were each time collected according to the following factors (see article 6 § 4 of the GDPR and WP29, Opinion 03/2013 on purpose limitation):

  • the relationship between the purposes for which the data have been collected and the purposes of further processing;
  • the context in which the data were collected and the reasonable expectations of the data subjects as to their further use;
  • the nature of the data;
  • the impact of the further processing on the data subjects; and
  • the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

In line with the principle of accountability, the Data Controller is required to document the foregoing evaluation.

Rights of Data Subjects in Relation to Loyalty Schemes

Loyalty schemes raise the obligation for data controllers to correspond to the rights of data subjects participating in them.

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect (see recital 70 of the GDPR).

In loyalty schemes where personal data are processed for the purposes of direct marketing, the data subject should have the right to object at any time to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information (see recital 71 and article 21 § 2-3 of the GDPR).

In loyalty schemes which are not based on consent or the performance of a contract, of particular importance is the right of the data subject not to be subject to decisions based solely on automated processing, including profiling. When such decision produces legal effects concerning him or her or similarly significantly affects him or her, the data subject has at any time the right to object to processing solely on automatic means and obtain human intervention on the part of the controller, express his or her point of view and contest the automatically made decision (see article 22 of the GDPR).

A legal effect requires that the decision, which is based on solely automated processing, affects someone’s legal rights, such as the freedom to associate with others, vote in an election, or take legal action. A legal effect may also be something that affects a person’s legal status or their rights under a contract. Even if a decision-making process does not have an effect on people’s legal rights it could still fall within the scope of Article 22 of the GDPR if it produces an effect that is equivalent or similarly significant in its impact. In other words, even where there is no change in their legal rights or obligations, the data subject could still be impacted sufficiently to require the protections under this provision. The GDPR introduces the word ‘similarly’ to the phrase ‘significantly affects’. Therefore, the threshold for significance must be similar to that of a decision producing a legal effect. Recital 71 of the GDPR provides the following typical examples: “automatic refusal of an online credit application” or “e-recruiting practices without any human intervention”. For data processing to significantly affect someone the effects of the processing must be sufficiently great or important to be worthy of attention. In other words, the decision must have the potential to: (i) significantly affect the circumstances, behaviour or choices of the individua ls concerned; (ii) have a prolonged or permanent impact on the data subject; or (iii) at its most extreme, lead to the exclusion or discrimination of individuals (EDPB (2018). Guidelines on Automated Decision – Making and Profiling, p. 25-26, https://ec.europa.eu/newsroom/article29/items/612053/en).

Data Protection By Design / Default in Loyalty Schemes

Data controllers operating loyalty schemes are required to have in place appropriate data protection measures and necessary safeguards that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default.

Appropriate organisational measures of data protection may include, among others, the following measures in the operation of the loyalty scheme:

  • Identity and access management, restrict the number of individuals with access to personal data;
  • Encryption and key management;
  • Restriction on data processing locations;
  • Physical Security;
  • Minimization of personal data being collected;
  • Perform regular testing, assessment and evaluation of the effectiveness of security measures;
  • Raise awareness among employees handling personal data;
  • Involve the DPO in the design of systems and processes that incorporate the organisational and technical measures required to apply data protection by design and by default.

Appropriate technical measures of data protection may include, among others, the following measures in the operation of the loyalty scheme:

  • End to End encryption;
  • Data Validation;
  • Authentication;
  • Authorization;
  • Logical separation of data transferred in a distributed fashion;
  • Pseudonymisation of personal data;
  • Anonymisation to eliminate any possibility of identifying the data subject;
  • Tokenisation, which substitutes valid information (e.g. database fields, records) with random information;
  • Ensure resilience and the restoration of availability of personal data, in case of security incident (e.g. back up, high availability etc.)

DPIAs for Loyalty Schemes

In most cases, data processing in loyalty schemes involves at least two of the following criteria of high risk and is, therefore, subject to the execution of a DPIA (EDPB (2018). Guidelines on DPIAs, https://edpb.europa.eu/our-work-tools/our-documents/guidelines/data-protection-impact-assessments-high-risk-processing_en):

  • Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements” (recitals 71 and 91 of the GDPR).
  • Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person” (Article 35(3)(a) of the GDPR).
  • Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area” (Article 35(3)(c) of the GDPR).
  • Data processed on a large scale, especially in regard to the volume of data and/or the range of different data items being processed and the duration, or permanence, of the data processing activity.
  • Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  • Innovative use or applying new technological or organisational solutions, such as technologies of artificial intelligence.

According to recital 91 of the GDPR, a data protection impact assessment should be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data.

According to Decision no. 65/2018 of the Greek DPA on the list of activities requiring DPIA, data processing in loyalty schemes falls under the scope of category 1.1. of high-risk data processing activities, which concern, among others, the systematic evaluation of the data subject’s aspects related to his / her personal preferences or interests, credibility or behavior.

Designation of Data Protection Officers

Controllers and processors are required to designate a data protection officer in any case where their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (see Article 37(1)(b) of the GDPR).

The core activities of a controller or processor relate to “primary activities and do not relate to the processing of personal data as ancillary activities” (recital 97 of the GDPR). ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals (EDPB (2016). Guidelines on DPOs, https://ec.europa.eu/newsroom/article29/items/612048/en).

Since it involves regular and systematic monitoring of data subjects on a large scale, while it serves an independent purpose of processing, rather than being an ancillary activity, the operation of loyalty schemes in itself renders compulsory the designation of a DPO.

Jurisprudence

In September 2019, The Belgian data protection authority imposed a fine of € 10,000 on a merchant for the disproportionate use of the electronic identity card for the purpose of creating a loyalty card. The electronic identity card contained a great deal of data on its holder and the use of this data, without the customer’s consent, is considered disproportionate in relation to the service offered. In particular, the consent given in the case under consideration was not considered as a freely given consent because no alternative was offered to clients. If clients refused to have their electronic identity card used to create a loyalty card, they were penalized and could not benefit from advantages and reductions.

On 26 May 2020, the Finnish DPA imposed an administrative fine for several deficiencies in personal data processing, among others, because the company’s privacy statement did not contain information on the automated decision-making and profiling performed in its loyalty scheme  (https://edpb.europa.eu/news/national-news/2020/finnish-dpa-imposes-administrative-fine-several-deficiencies-personal-data_en).

The Austrian DPA has imposed a fine of EUR 2,000,000 on Rewe affiliate Ö-Bonus Club GmbH. When signing up for the customer loyalty program jö Bonus Club, the controller has failed to properly explain that customers’ data and shopping behavior are used to create individual profiles, and that the information is also passed on to partner companies. The controller designed the registration for the jö Bonus Club in such a way that the clarification about profiling could only be found after scrolling down. However, the consent was placed higher up, so in all cases the consents were obtained before the clarification (https://www.enforcementtracker.com/ETid-792#/).