Each Voyado client need to determine the legal basis or bases for processing their personal data. Clients may use different legal bases for specific parts of their processing. One useful legal basis processing of personal data is the performance of a contract, or taking steps to enter into a contract. Since membership terms can be regarded as a contract between the member and the company, companies may have a legal basis for processing personal data in order to perform their responsibilities in the contract.
However, it is important then to limit the processing to the minimum required by the terms of the agreement, otherwise you will need to find an additional legal basis (e.g. consent or legitimate interest). Which legal basis is the most suitable depends on your situation and on the processing you intend to do (e.g. profiling, disclosure of information to 3rd party or use of customer data for educational purposes).
If you opt to use consent as a legal basis, the GDPR makes it very clear that consents should not be blended with the terms of a contract. Instead, they need to be clearly specified. A consent shall be freely given, specific, informed, unambiguous and provided with affirmative action. It is not clearly established how this correlates to a voluntary act of joining a loyalty program. The act of joining such a program should reasonably be considered an affirmative act. However, the discussion then becomes what the data subject can reasonably have assumed to consent to when joining the program and subsequently identifying themselves during checkout. Note that a consent that is conditional for the performance of a contract (e.g. providing a service or possibly a loyalty program) is not considered freely given. Therefore you should only use consent as the legal basis for such processing that you can clearly separate from others and provide in a fully optional manner.
Opt in, or opt out
In Sweden, the rules for digital direct marketing are most clearly laid out in Swedma's ethical guidelines. These correspond well to the current draft of the coming (but much delayed) ePrivacy regulation. Both include a so-called "soft opt-in" rule. The rule means that if a customer provides their contact information at the time of a purchase, you have the right to send general direct marketing communication for related goods and services to the customer. The customer must, however, be able to opt out from direct marketing both at the time of purchase and every time you send them a marketing message.
With our functions to display and track member terms and control soft opt-in rules, most Voyado clients should have a legal basis to process personal data for administration of the loyalty program and send general marketing to prospects within the framework of the GDPR. But note that, additional processing of personal data may require consent or another legal basis as described above.
It is also worth noting that the rules for soft opt-in varies greatly from country to country, which is why the upcoming ePrivacy regulation seeks to harmonize these rules in the EU.