The Belgian Data Protection Authority, Gegevensbeschermingsautoriteit (GBA), has announced that it is planning to launch an investigation into Carrefour’s fingerprint payment system.
On Tuesday, the supermarket chain Carrefour announced that it was organising a biometric payments pilot, in a store in the centre of Brussels, which would allow clients to pay for their groceries with their fingerprint.
Customers would be able to pay for products by scanning their finger at the cash register to which money will automatically be deducted from their bank account.
The watchdog previously contacted Carrefour informally in regards to another project whereby customers could add points to their loyalty card with their fingerprint.
“We asked Carrefour a few questions and discovered that a test had already taken place,” said David Stevens, the president of the GBA, reports De Standaard.
“It turned out that Carrefour had already collected fingerprints. Now that we’ve heard the news about the new experiment with fingerprint payments, there’s a good chance we’ll send our inspectors. I cannot yet formally confirm that we will do that, but I think there is a good chance.”
Under EU General Data Protection Regulation (GDPR), companies are forbidden from collecting biometric data like fingerprints. However, exceptions are made, “but people have to explicitly give their consent in those cases,” said Stevens.
“Customers really have to understand the risks. If, through hacking, your password falls into the wrong hands, you can replace it. But you cannot just change your fingerprint, face or the iris of your eye. Hence the strict rules.”
Carrefour spokesperson, Aurélie Gerth has assured customers that their information is secure and the supermarket is GDPR compliant.
“We will work with companies that specialize in security,” Gerth said. “We are not the first company to collect fingerprints and there are also companies that collect other very sensitive personal information from their customers. Think of banks and the financial data of their customers.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/