Loyalty Programs Under the Radar of GDPR

Lithuanian Data Protection Authority recently completed the investigation on proper personal data processing for direct marketing purposes. The target was the major food, household goods, and pharmacy retail chains that offer loyalty programs.

The following points were considered:

  • legal conditions for the processing of personal data;
  • amount of personal data processed;
  • information provided to data subjects
  • execution of data subject refusal to process personal data for direct marketing
  • terms of storage of personal data

Out of 12 cases, 11 were identified as personal data processing violations. The recommendations for customer data processing in loyalty programs were proposed. It is expected to be a help in understanding how mistakes could be avoided when handling personal data under GDPR.

Company’s legitimate interest is not the base for direct marketing

Some of the companies that offer loyalty programs, when processing personal data for direct marketing /profiling purposes, unreasonably relied on the Company’s legitimate interest. This cannot be considered as the proper lawful base of data processing.  In this case, the interests of the data subject (customer) are more important than the interests of controllers. Here personal data could be processed for direct marketing and profiling only with the consent of the data subject.

Collection of excessive information for loyalty programs

During the investigation, it was found that almost 40% of companies collect an excessive amount of data. I.e., require customers, when filling out a form for their loyalty cards, to indicate their exact date of birth. Inspectors believe that it would be enough for the consumer to indicate only the year of birth or their age.

In some cases, customers are asked to provide a copy of a business certificate for an individual activity. It was stated, that the collection of such documents is an inadequate and disproportionate measure to achieve the objectives (loyalty programs). To accomplish these goals, it would be enough for a person to indicate, as an example, the license number.

Data transfer to the 3rd parties

In more than a half cases, companies do not indicate specific third parties (partners) that customer data may be provided to. Therefore, the customer receives misleading or inaccurate information about the processing of their data.

Advertisement without an option to opt-out

Personal data subjects must be provided by an opt-out option when receiving marketing offers. However, some of the investigated companies do not provide clear, free, and easy-to-use options to opt-out of receiving these offers by text messages (SMS).  

The terms of storage of personal data

More than 60% of investigated loyalty programs’ providers had issues with the terms of keeping personal data. Some companies do not have specific terms for the storage of personal data. In others, these terms are unreasonably long or, in general, no data retention period has been set.

After the summary, the Lithuanian Data Protection Authority instructed companies that offer loyalty programs to eliminate detected violations.

Find out about the fines for non-compliance. 

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
GDPR checklist for controllers

GDPR checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2020

GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data