News November 2008
European Law - European Commission State Aid Update
On May 20 2008 the European Commission adopted a new notice on state aid in the form of guarantees. The notice sets out the criteria and methodology to be applied in order to evaluate whether a guarantee contains a state aid element. In addition, the notice provides simplified rules for small and medium-sized enterprises (SMEs) by creating a safe harbour where guarantees to SMEs will not be deemed to entail state aid.
The new notice confirms the market investor test as the benchmark to determine the existence of aid. Consequently, the notice requires that a proper risk assessment be conducted in order to analyze whether the guarantee is in conformity with the market conditions.
The notice applies to all economic sectors and replaces the former notice which was adopted in 2000. Member states will be expected to adjust their existing guarantee measures to comply with the new notice by January 1 2010.
On May 21 2008 the commission published the spring update of its State Aid Scoreboard. The scoreboard shows, in particular, that member states’ use of state aid for environmental purposes is increasing. Although the number of environmental measures has remained stable in most member states in recent years, the total expenditure for environmental purposes has doubled between 2001 and 2006 from €7 billion to €14 billion. A large proportion of aid for environmental purposes consists of exemptions from environmental taxes.
In addition, the scoreboard indicates that there has been an improvement in the recovery of unlawful and incompatible aid. The Spring 2008 update also includes, for the first time, comparable data for Romania and Bulgaria.
Information Technology - Data Protection Authority Fines Supermarket for Misuse of Loyalty Card Information
The Data Protection Authority has applied a relatively new provision of data protection law in penalizing GS, the group which manages the well-known supermarket chain of the same name. The authority fined GS €54,000 for failing to provide customers with adequate information regarding the use of personal data collected as part of a loyalty scheme. On the basis of the same provision, the authority also issued a warning to GS and ordered it to comply with the Provision on Loyalty Cards (issued on February 24 2005) by May 31 2008.
Like many other retailers, GS collected customers' personal data in order to issue them with loyalty cards, which are normally used to offer rewards and discounts. After years of investigation, the authority found that GS had illicitly collected such data without supplying customers with the information required under the Data Protection Code. GS collected not only its customers’ names and how much they spent, but also:
- their email addresses and mobile phone numbers;
- their employment details;
- the number of receipts issued to them; and
- details of the products that they bought and the branches where the products were purchased.
This information allowed GS to create profiles of its customers, evaluate their loyalty and classify them accordingly, as well as locating them in relation to each point of sale. On the basis of this data, GS was able to develop customized advertising campaigns.
In the course of the authority's proceedings against it, GS modified the forms it used to collect customer data, but the authority found that the amended forms also failed to comply with data protection requirements - although the forms stated that the infomation collected would be used for profiling and marketing, it did not ask customers to give their specific consent to each of the uses in question.
The authority had already set out the principles applied in this case in the provision of February 24 2005, which states that a data holder must carry out profiling activities in a way that prevents customers from being identified; the data in the profiles must be anonymous as far as possible. In addition, customers must be informed clearly and in detail of every purpose for which data will be processed. Thus, if customer data is collected and processed not only for the purposes of managing a loyalty programme, but also for use in the distribution of marketing communications and the creation of consumer profiles, this information must be explicitly stated.
Furthermore, the provision clarifies that individuals' consent is not required for the processing of data needed to issue loyalty cards and provide special discounts. Such activity falls within Article 13 of the code, which states that consent is unnecessary if processing is essential to the performance of contractual obligations. However, the provision states that processing for other purposes (including marketing and profiling) which allow individual customers to be identified is conditional on the data subject's specific and express consent. Personal data on customers which is intended for use in marketing and profiling must be stored for no longer than is strictly necessary for these activities. In any event, data may not be retained for over 12 months for profiling activities or over 24 months for marketing activities.
