Each Voyado client needs to determine the legal basis or basis for processing their personal data. Clients may use different legal bases for specific parts of their processing. One useful legal basis processing of personal data is the performance of a contract or taking steps to enter into a contract.
Since membership terms can be regarded as a contract between the member and the company, companies may have a legal basis for processing personal data in order to perform their responsibilities in the contract.
Limit the processing
However, it is important to limit the processing to the minimum required by the terms of the agreement, otherwise, you will need to find an additional legal basis (e.g. consent or legitimate interest). Which legal basis is the most suitable depends on your situation and on the processing you intend to do (e.g. profiling, disclosure of information to 3rd party, or use of customer data for educational purposes).
Consent as legal basis
If you opt to use consent as a legal basis, the GDPR makes it very clear that consent should not be blended with the terms of a contract. Instead, they need to be clearly specified.
The consent shall be freely given, specific, informed, unambiguous, and provided with affirmative action. It is not clearly established how this correlates to a voluntary act of joining a loyalty program.
The act of joining such a program should reasonably be considered an affirmative act. However, the discussion then becomes what the data subject can reasonably have assumed to consent to when joining the program and subsequently identifying themselves during checkout.
Note that consent that is conditional for the performance of a contract (e.g. providing a service or possibly a loyalty program) is not considered freely given. Therefore you should only use consent as the legal basis for such processing that you can clearly separate from others and provide in a fully optional manner.
Opt-in, or opt-out
In Sweden, the rules for digital direct marketing are most clearly laid out in Swedma's ethical guidelines. These correspond well to the current draft of the coming (but much delayed) ePrivacy regulation. Both include a so-called "soft opt-in" rule.
The rule means that if a customer provides their contact information at the time of purchase, you have the right to send general direct marketing communication for related goods and services to the customer. The customer must, however, be able to opt-out from direct marketing both at the time of purchase and every time you send them a marketing message.
With our functions to display and track member terms and control soft opt-in rules, most Voyado clients should have a legal basis to process personal data for the administration of the loyalty program and send general marketing to prospects within the framework of the GDPR. But note that, additional processing of personal data may require consent or another legal basis as described above.
It is also worth noting that the rules for soft opt-in vary greatly from country to country, which is why the upcoming ePrivacy regulation seeks to harmonize these rules in the EU.
Unsure of your current Voyado setup? Contact Technical support, if you need to make changes to your setup contact your Client Manager to scope the work needed to make changes.