The right to information is largely ignored. In order to retain as many loyal customers as possible, the Greek supermarket chain Alfa Vita (AB) has launched a loyalty card program called “AB plus”. Although AB strives to collect as much personal information as possible about its 2.2 million customers, its compliance with EU law is lacking. This became clear when a consumer tried to exercise her right to information. She is at the AB Plus Personal Level of AB’s loyalty program. This means that AB processes “their purchasing habits, the frequency of their visits to an AB store, the use of the offers communicated to them, their home address, the total cost of their purchases” for profiling purposes. Nevertheless, AB only provided her with a list of her transactions and her contact details, but no other information derived from them. Despite a clear ruling by the Court of Justice, AB also explicitly refused to provide a list of the recipients of such data. (see Case C-154/21).
Kleanthi Sardeli, data protection lawyer at noyb: “The GDPR clearly states that a company’s response to an access request must include all the information it holds about a customer. The Court has made it clear that this includes all recipients who have received your personal data. The fact that AB is deliberately withholding large amounts of this data is clearly illegal.”
More GDPR rights only for “AB Plus Unique” customers? AB Plus Personal Customers, including the complainant, cannot even access the amount they have saved by using their loyalty card. On its website, AB advertises access to this data as an exclusive feature for “AB Plus Unique” customers. An “upgrade” to AB Plus Unique would require consent to share data with other third parties. This is not only absurd, but clearly unlawful. Companies must “facilitate” access to personal data, not hold it hostage. Overall, this case shows that even companies that rely heavily on personal data, such as a loyalty program, are still not complying with the basics of the GDPR eight years after it was passed in 2016.
Kleanthi Sardeli, data protection lawyer at noyb: “AB is basically asking you to agree to an ‘upgrade’ and allow data sharing in order to exercise your fundamental rights under EU law. This is completely absurd, but shows how little companies care about the GDPR.”
“Give us your information if you want to save money.” Food is one of the biggest costs for every household. More and more discounts are strictly linked to the possession of a loyalty card, allowing companies to track, profile and manipulate consumers, making participation de facto mandatory. In times of rapidly rising food prices and an economic downturn, and especially for customers in low-income Member States, they may have little choice but to agree to share personal data in order to access cheaper food. Of course, these “discounts” are built into supermarkets’ pricing models. This means that in reality, customers are only getting discounts on previously inflated prices.
Kleanthi Sardeli, data protection lawyer at noyb: “In times of rising prices, more and more people have to rely on loyalty cards to save some money when shopping. This puts supermarkets like AB in a strong position to blatantly ignore people’s fundamental right to privacy.”
GDPR complaint filed in Greece. noyb has now filed a complaint with the Greek Data Protection Authority (DPA) requesting an investigation into AB’s processing operations and an order to comply with the complainant’s request for information. In addition, noyb The DPA proposes to impose a fine of up to 4% of AB’s annual turnover to prevent similar infringements in the future.
