| > Not just from your loyalty number, but from your credit card (even if you're not a member). They use this to create a history of your purchases and create a demographic profile of you. I believe GDPR would forbid this but there maybe (in Europe) something like "we consider logs of payments made in a store a legitimate interest", idk. edit: an ongoing story I suppose: - Instead of only processing the payment, the German payment service “giropay” (formerly “paydirekt”) keeps the information about each individual item purchased in online shops. This may lead to the processing of sensitive, personal data. https://edri.org/our-work/giropay-knows-what-you-bought-last... > I have news for you: When you're grocery shopping, there are cameras watching you: I don't think so. CCTV's goal is security. Not even employees can be filmed for a different purpose: - The DPC received a complaint stating that a supermarket had instructed athird party to remove a CCTV hard-drive. The hard drive contained CCTVfootage of the complainant's image from the store where the complainantworked as store manager. The complaint statedthat no member of thesupermarket staff accompanied this third-party contractor during theremoval. The complainant alleged that the supermarket viewed had threeweeks of CCTV footage. The footage contained the complainant’s image andthe supermarket used this CCTV footage to ground a disciplinary hearingagainst the complainant. The complaint further stated that at no point hadthe complainant been consulted in relation to the removal, viewing orprocessing of the footage. The key issue before the DPC was consideration of whether the supermarkethad acted in accordance with the requirements of the applicable law when it processed the CCTV footage which contained images of the complainant,specifically Section 2A(1)(d) of the Acts which provide that a data controllershall not process personal data unless “the processing is necessary for thepurposes of the legitimate interests pursued by the data controller or by athird party or parties to whom the data are disclosed, except where theprocessing is unwarranted in any particular case by reason of prejudice to thefundamental rights and freedoms or legitimate interests of the data subject.”.The DPC determined that the use of CCTV in employment situations shouldonly be used for stated valid purposes, such as security. It should not be usedfor employee monitoring, and policies should be in place to ensureproportionality and transparency in the workplace. However, the DPCconsidered that, when the supermarket viewed the CCTV footage for theperiod, it did so in the pursuit of its own legitimate interests and in thisinstance found there was no contravention of the Act. https://www.ejtn.eu/PageFiles/17861/Deciphering_Legitimate_I... I'd say the same applies to credit/debit card number. They can only process the data to fulfill the purpose of paying for the goods, not add a legitimate interest to profile the customer. |
That sounds like the kind of get-out I'd expect from a US company, or any other company with no significant assets under GDPR jurisdiction. The GDPR defines "legitimate interest", and that isn't one of them.