A French railway company required its customers to specify whether they wanted to be addressed as “Mr” or “Ms” when booking their tickets online. A recent ruling of the Court of Justice of the European Union shows that such a requirement is unlawful. This is because the data relating to the title are not necessary for the performance of the contract between the rail carrier and the passenger. Nor is there a carrier’s legitimate interest in addressing its customers as personally as possible. Read on to find out why it is risky – from a GDPR perspective – to require customers to provide data relating to the title and what the implications are for online stores or other service providers.
Most online service providers, such as online stores, ask their customers for personal data in registration and order forms on a daily basis. This is standard practice, as data such as contact email or delivery address are often required to provide a service or deliver goods. In general, they are necessary to fulfil a contract. However, some other data are not necessary for this purpose even though they may seem standard and innocuous at first. Such data may be collected and processed on a legal basis other than the performance of the contract, such as the customer’s consent or a legitimate interest.
Let us return to the case of the French carrier mentioned in the introduction. Its customers were required to indicate their preferred title by ticking the box “Mr” or “Ms” when buying tickets online. This was indeed mandatory data; without selecting one of the options, the purchase could not be completed. The French LGBT association Mousse lodged a complaint against this practice with the relevant supervisory authority. The regulator, the Commission nationale de l’nformatique et des libertés (CNIL), the French equivalent of the Czech Office for Personal Data Protection, sided with the carrier and rejected the complaint stating that such processing of the data relating to the title was in line with the law. It added that addressing customers in a personalised manner using their title was in line with commercial, civil and administrative communications, and that the processing of the data relating to the title was necessary for the performance of the transport services contract in question. Mousse challenged the authority’s decision before the French court, which referred the matter to the Court of Justice of the European Union (the “CJEU”) for a preliminary ruling.
Do you want to address the customer in a personalised way? You are unlikely to justify it
In its decision (available here), the CJEU ruled in favour of Mousse, stating that the collection of data relating to the title for the purchase of tickets is neither necessary for the performance of the contract, nor can it be considered necessary for a legitimate interest of the carrier or a third party. In other words, the CJEU held that the mandatory provision of data relating to the title did not comply with the data minimisation principle within the meaning of Article 5(1)(c) of the GDPR.
The requirement to provide mandatory data relating to the title may be perceived as invasive and redundant, particularly as there are only two titles to choose from. Such practice is likely to lead to dissatisfaction or subsequent complaints from customers who are unable or unwilling to identify with either category. Although the issue of obtaining data relating to the title may seem unimportant or even trivial, it can put customers in uncomfortable position of having to publicly identify themselves in terms of sex or gender. All this just to buy train tickets, for example, as in the French case. From a data protection perspective, this increases the risk of potential complainants.
The Czech supervisory authority (the Office for Personal Data Protection) can also impose heavy fines and remedies for processing of personal data without legal grounds and for violating the principle of data minimisation. There is also a risk of damage to reputation or a risk that affected customers will file civil actions.
The right approach
The GDPR requires that the personal data processed are adequate, relevant and limited to what is deemed necessary. In each specific case, it is important to carefully consider whether the data requested are actually necessary for the provision of the services in question and whether there are less invasive ways of achieving the same objective.
In this case, it is likely that the carrier would not have lost the court case if the filling in the title fields had been optional, i.e., if the customer had been allowed to purchase the tickets without selecting the title. Alternatively, the carrier could have used a drop-down list with several options, including the option “I do not wish to specify”, etc. The customer must have a real, not just an apparent, freedom not to specify any option. The legal basis for processing such voluntarily provided data will typically be the customer’s consent. Again, the customer must be duly informed of the possibility of withdrawing their consent at any time and must have the possibility of deleting or modifying the data, e.g., in the user account environment. In addition, all personal data, including those voluntarily provided by the customer, may only be processed for a specific purpose, e.g., better targeting or profile personalisation.
In this respect, it will be easier to justify that the service provider wishes to process customer’s gender data, for example, in order to provide gifts to loyal customers and to ensure their basic personalisation according to gender, i.e., to provide men with different types of goods than women. In such a case, in our view, the service provider’s position will be stronger, but it will always depend on the specific circumstances of the business relationship and the purpose for which the service provider wants to use the customer’s data. Again, in the light of the case law, the provider should bear in mind that some customers may still prefer not to provide this information (even at the risk of receiving a less appropriate gift).
Thus, service providers that require customers to provide personal data to process an order or registration should check their online forms to ensure that they do not request data they cannot justify collecting and processing in light of the above. As part of its inspection activities, the Czech Office for Personal Data Protection monitors the scope of the data required, including data provided voluntarily (optional fields). They also check whether the scope complies with the principle of minimisation. We are not yet aware of any sanctions imposed in relation to the gender data. However, we are aware that in at least one case, the audited entity stopped collecting the voluntary (optional) gender data during the audit. In this context, the Office for Personal Data Protection found that the principle of minimisation had been complied with. Clearly, it is not easy to set up registration or order forms correctly. Our team of experienced data protection experts is ready to help you find a legally sound and commercially viable approach.
