rebecca-aldama-660180-unsplash

Loyalty Programs Under the Radar of GDPR

Lithuanian Data Protection Authority recently completed the investigation on proper personal data processing for direct marketing purposes. The target was the major food, household goods, and pharmacy retail chains that offer loyalty programs.

The following points were considered:

  • legal conditions for the processing of personal data;
  • amount of personal data processed;
  • information provided to data subjects
  • execution of data subject refusal to process personal data for direct marketing
  • terms of storage of personal data

Out of 12 cases, 11 were identified as personal data processing violations. The recommendations for customer data processing in loyalty programs were proposed. It is expected to be a help in understanding how mistakes could be avoided when handling personal data under GDPR.

Company’s legitimate interest is not the base for direct marketing

Some of the companies that offer loyalty programs, when processing personal data for direct marketing /profiling purposes, unreasonably relied on the Company’s legitimate interest. This cannot be considered as the proper lawful base of data processing.  In this case, the interests of the data subject (customer) are more important than the interests of controllers. Here personal data could be processed for direct marketing and profiling only with the consent of the data subject.

Collection of excessive information for loyalty programs

During the investigation, it was found that almost 40% of companies collect an excessive amount of data. I.e., require customers, when filling out a form for their loyalty cards, to indicate their exact date of birth. Inspectors believe that it would be enough for the consumer to indicate only the year of birth or their age.

In some cases, customers are asked to provide a copy of a business certificate for an individual activity. It was stated, that the collection of such documents is an inadequate and disproportionate measure to achieve the objectives (loyalty programs). To accomplish these goals, it would be enough for a person to indicate, as an example, the license number.

Data transfer to the 3rd parties

In more than a half cases, companies do not indicate specific third parties (partners) that customer data may be provided to. Therefore, the customer receives misleading or inaccurate information about the processing of their data.

Advertisement without an option to opt-out

Personal data subjects must be provided by an opt-out option when receiving marketing offers. However, some of the investigated companies do not provide clear, free, and easy-to-use options to opt-out of receiving these offers by text messages (SMS).  

The terms of storage of personal data

More than 60% of investigated loyalty programs’ providers had issues with the terms of keeping personal data. Some companies do not have specific terms for the storage of personal data. In others, these terms are unreasonably long or, in general, no data retention period has been set.

After the summary, the Lithuanian Data Protection Authority instructed companies that offer loyalty programs to eliminate detected violations.

Find out about the fines for non-compliance. 

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Privacy Rights and it’s Challenges – 6 Years of GDPR

Privacy Rights and it’s Challenges – 6 Years of GDPR

Six years since GDPR came into force, the promise of stronger data protection is being undermined by the rise of...
Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

LinkedIn Ireland was recently fined a record-breaking €310 million by the Irish Data Protection Commission for GDPR violations, underscoring the...
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?A Data Processing Agreement (DPA) is a legally binding document to be entered into...