GDPR PRACTICES FOR IDENTITY VERIFICATION IN THE BICYCLE RENTAL SECTOR IN BELGIUM
Authors
-
Bulgakova Daria
An Advocate, Ph.D. in International Law, Associate professor, Department of Law and Public Administration, Zaporizhzhia Institute of Economics and Information Technologies, Ukraine
Author
https://orcid.org/0000-0002-8640-3622
DOI:
https://doi.org/10.69635/mssl.2025.1.2.21Keywords:
Personal Data, Belgian Data Protection Authority, Data Protection Compliance, Identity Card, A Balancing TestAbstract
This article studies the Belgian Data Protection Authority’s decision of 19 August 2025 about a bicycle rental company that demanded users to provide their identity cards, where more information was placed for the contract performance, and, moreover, allowed continuous geolocation tracking. The case shows how personal data must be practically processed in compliance with the General Data Protection Regulation (GDPR). It spotlights the legal issues of necessity, legal interests, data minimization, together with the privacy, transparency, proportionality, and rights to access. The examination also stresses that location data, while not explicitly defined in the GDPR, qualifies as personal data too. The sanctions levied by the Belgian authority, including a reprimand and a warning, confirm the importance of executing robust safeguards to secure lawful processing and respect for data subjects’ rights. Also, by brooding on scholarly lookouts with a practical case, the study recommends enriching identity verification practices in shared mobility services, ensuring GDPR obedience while keeping user trust.
References
Arfelt, E., Basin, D., & Debois, S. (2019). Monitoring the GDPR. In P. Y. A. Ryan, S. Schneider, & K. Sako (Eds.), Computer Security - ESORICS 2019 (Vol. 11735, pp. 681–699). Springer International Publishing AG. https://doi.org/10.1007/978-3-030-29959-0_33
BU MIN, JIANG YINGHONG, WANG XIAOJUN, & PENG QINGYAN. (2016). Public bicycle renting personal terminal service system.
Bulgakova D., Bulgakova V. (2024). Facial Recognition at the Fitness Center Under the General Data Protection Regulation Article 9(1) and 9(2)(a). Jiao da fa xue ping lun NCTU law review, 14, 61–97. https://lawreview.law.nycu.edu.tw/lawreviewlaw/ch/app/data/view?module=nycu0040&id=33646&serno=d8011b0c-b400-4f87-83ba-9c2e85dfd61c
Bulgakova, D., & Bulgakova, V. (2023). The Compliance of Facial Processing in France with the Article 9 Paragraph 2 (a) (g) of (EU) General Data Protection Regulation. Naukovì Zapiski NaUKMA. Ûridičnì Nauki, 11, 64–76. https://doi.org/10.18523/2617-2607.2023.11.64-76
Bulgakova D., Bulgakova V. (2023 (a)). The processing of personal data in accordance with the principle of proportionality under the EU General Data Protection Regulation. PHILOSOPHY, ECONOMICS AND LAW REVIEW, 3 (1), 266 - 284. https://phelr.dduvs.edu.ua/?page_id=3199
Chhetri, T. R., Kurteva, A., DeLong, R. J., Hilscher, R., Korte, K., & Fensel, A. (2022). Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent. Sensors (Basel, Switzerland), 22(7), 2763. https://doi.org/10.3390/s22072763
Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., & Holz, T. (2019). We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. https://doi.org/10.48550/arxiv.1808.05096
Dibble, S. (2020). GDPR for dummies (1st edition). For Dummies.
Document 21, Summary Conclusion, and Additional Document of 18 April 2025.
EDPB, Guidelines of 8 October 2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, version 2.0, paragraph 26.
Finck, M., & Pallas, F. (2020). They who must not be identified—distinguishing personal from non-personal data under the GDPR. International Data Privacy Law, 10(1), 11–36. https://doi.org/10.1093/idpl/ipz026
Governance, I. (2019). EU General Data Protection Regulation (GDPR), third edition - An Implementation and Compliance Guide (1st edition). IT Governance Publishing.
GUO ZIKUN, DU HONGLEI, MA TAO, JIA PEIQI, GAO CHAO, CUI PENGFEI, YAN LEI, LI YONGCHUN, ZHANG XIN, CHEN LINA, & HU YONGQING. (2023). Self-service bicycle taking and returning method, device and system based on shared bicycle and user mobile terminal.
Hansen, Marit., Kosta, Eleni., Nai-Fovino, Igor., & Fischer-Hübner, Simone. (Eds.). (2018). Privacy and Identity Management. The Smart Revolution : 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers (1st ed. 2018.). Springer International Publishing. https://doi.org/10.1007/978-3-319-92925-5
Harris, D., Samuel, S., & Probert, E. (2018). GDPR confusion. Veterinary Record, 183(12), 388–388. https://doi.org/10.1136/vr.k3956
ITGP Privacy Team. (2017). EU General Data Protection Regulation (GDPR) : an implementation and compliance guide (2nd ed). IT Governance Publishing.
Johnson, G. A., Shriver, S. K., & Goldberg, S. G. (2023). Privacy and Market Concentration: Intended and Unintended Consequences of the GDPR. Management Science, 69(10), 5695–5721. https://doi.org/10.1287/mnsc.2023.4709
Kollnig, K., Binns, R., Van Kleek, M., Zhao, J., Lyngs, U., Tinsman, C., & Shadbolt, N. (2021). Before and after GDPR: Tracking in mobile apps. Internet Policy Review, 10(4), 1–30. https://doi.org/10.14763/2021.4.1611
Laybats Claire, & Davies, J. (2018). GDPR. Business Information Review, 35(2), 81–83. https://doi.org/10.1177/0266382118777808
Litigation Chamber of the Belgian Data Protection Authority (DPA), Decision on the merits No. 132/2025, the case no. DOS-2024-01301, 19 August 2025, https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-132-2025.pdf
Machuletz, D., & Böhme, R. (2020). Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR. https://doi.org/10.48550/arxiv.1908.10048
Malgieri, G. (2023). Vulnerability and data protection law (First edition.). Oxford University Press. https://doi.org/10.1093/oso/9780192870339.001.0001
Pinto, R. (2024). Part 4 - Digital Identity Era: A Probabilistic Future. In Decentralized Identity Explained. Packt Publishing, Limited.
Porcelli, L., Mastroianni, M., Ficco, M., & Palmieri, F. (2024). A User-Centered Privacy Policy Management System for Automatic Consent on Cookie Banners. Computers (Basel), 13(2), 43. https://doi.org/10.3390/computers13020043
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
Sharma, S., & Menon, P. (2020). Data privacy and GDPR handbook (1st edition). John Wiley & Sons.
The DPA Act, https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&cn=2017120311&table_name=wetYUMINMIN&WEIWEI. (2017). Public bicycle rental system and its control method and device.
Published
Issue
Section
License
Copyright (c) 2025 Bulgakova Daria (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles are published as open access and are licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0). This means that authors retain the copyright to the content of their articles. Under the CC BY 4.0 license, the content can be copied, adapted, displayed, distributed, republished, or otherwise reused for any purpose, including commercial use, provided that proper attribution is given to the original authors.
How to Cite
