cross-posted from: https://sopuli.xyz/post/10336994
I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.
Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt.
I should have kept track of the birth date I supplied. I will; from now on.
Grocery store loyalty card. I actually quit all grocer loyalty cards because the 1% savings or whatever is a lousy insignificant amount for being tracked in such detail. And I switched to cash. The grocer’s website started blocking Tor so I started boycotting them and I’m just digging around on the principle that if they don’t have enough privacy respect to serve Tor users then they should be probed.
The whole point of the loyalty card is to do market research. They would likely claim that processing birth date is lawful under Art.6¶1(b) (“processing is necessary for the performance of a contract”). But is it? I mean, buying the food doesn’t even need a contract. One could argue that offering exclusive promos to cardholders does not require any data collection. But it would defeat the grocer’s purpose for entering into the contract. I guess I should read up on EDPB guidelines 2019/02… that should have the answer.
Providing the service is selling groceries, that doesn’t require a birth date.
So it’s not possible to sneak it under performance of contract. Only Legitimate Interest or Consent could be valid, and you can oppose/retract.
But good readng, please provide our findings, that will save me a reading 😅