Greek supermarket chain Alfa Vita (AB) runs a loyalty card program, allowing the collection of personal data of shoppers. Still, the company can’t even comply with baseline GDPR rights. When the complainant requested access to her data, AB left out most of the personal data it processed. noyb now filed a complaint with the Greek DPA.
Right of access largely ignored. To retain as many loyal customers as possible, the Greek supermarket chain Alfa Vita (AB) has introduced a loyalty card programme called “AB plus”. While AB is keen to collect as much personal information about its 2.2 million customers as possible, its compliance with EU law is lacking. This became clear when a consumer tried to exercise her right of access. She is registered to the AB Plus Personal tier of AB’s loyalty programme. This means that AB processes “their buying habits, the frequency of their visits to an AB store, the use of offers communicated to them, their home address, the total cost of their purchases” for profiling. Still, AB only provided her with a list of her transactions and her contact details, but no other information that it has derived from it. Despite a clear Court of Justice ruling, AB has also explicitly refused to provide a list of recipients of such data. (see case C-154/21).
Kleanthi Sardeli, data protection lawyer at noyb: “The GDPR clearly states that a company’s reply to an access request must include all the information it holds on a customer. The Court of Justice clarified that this also includes all recipients that got your personal data. The fact that AB deliberately withholds vast amounts of said data is clearly illegal.”
More GDPR rights only for “AB Plus Unique” customers? AB Plus Personal customers, including the complainant, can’t even access the amount of money they have saved by using their loyalty card. On its website, AB advertises access to this data as an exclusive feature for “AB Plus Unique” customers. However, an “upgrade” to AB Plus Unique would require consent to the sharing of data with other third parties. This is not only absurd, but clearly unlawful. Companies must “facilitate” the access to personal data, not hold it hostage. Overall, this case shows that even operations that rely heavily on personal data, such as a loyalty programme, are still failing to comply with the basics of the GDPR, eight years after it was adopted in 2016.
Kleanthi Sardeli, data protection lawyer at noyb: “AB is basically demanding that you agree to ‘upgrade’ and allow data sharing in order to exercise your fundamental rights under EU law. This is completely absurd, but it shows how little companies care about the GDPR.”
“Give us your data, if you want to save money”. Food is one of the biggest expenses for any household. More and more discounts are strictly linked to the possession of a loyalty card that allows companies to track, profile and manipulate consumers, making participation de facto mandatory. In times of rapidly rising food prices, an economic downturn and especially for customers in low-income Member States, there may be little choice but to 'agree' to share personal data in order to have access to more affordable food. Of course, these 'discounts' are built into supermarket pricing models. This means that, in reality, customers only get discounts on previously inflated prices.
Kleanthi Sardeli, data protection lawyer at noyb: "In times of rising prices, more and more people have to rely on loyalty cards to save some money when shopping. This puts supermarkets like AB in a powerful position to blatantly ignore people's fundamental right to privacy".
GDPR complaint filed in Greece. noyb has now filed a complaint with the Greek authority (DPA), requesting an investigation of AB’s processing operations and an order to comply with the complainant’s access request. In addition, noyb suggests the DPA to impose a fine of up to 4% of AB’s annual turnover to prevent similar violations in the future.