Are you a retailer and creating new contracts with customers at POS?

Since datacapture is our bread and butter we put together a few helpful tips for you. We hope these guidelines and different examples can help you in the work towards the General Data Protection Regulation deadline in May 25 this year.

Contract as legal ground

One of the legal grounds for processing data of customers is the performance of a contract. Here are a few helpful scenarios that we illustrated for you with a legal analysis of each situation.


Example 1. Customer enters a membership contract by giving their name and phone number to the cashier to become a member

This is a common scenario. The customer simply offers a form of identifier verbally. The cashier will key in this information into the Point of Sale computer system. Please note the legal terms and conditions are available in a folder facing the customer.

Is there a contract now between the customer and the company?

A verbal contract has been entered but there is a risk with relying solely on verbal confirmation. The main concern is that there is no proof of this person accepting the terms and conditions, nor is there proof that the store staff provide the correct information. In this case it is difficult to prove that the processing of information is due to the performance of a contract. In the event of a compliance investigation or legal cause, there is a big risk that the retailer lack the requirements of GDPR and becomes subject to high fines.


Example 2. After passing the phone number the customer accepts the terms and conditions verbally

This scenario would take the previous example one step further. After passing personal information we ask the customer if they accept the terms and conditions of the contract. Please note the legal terms and conditions are still available in a folder facing the customer.

Is there a contract now between the customer and the company?

Also this depends on how risky you want to be. The main problem is the same as the example above and how can the retailer can prove that the information was given by the customer and not gained by other means. If you save the surveillance camera footage and you have audio recording so you can hear what was said, you will have a stronger case proving that the customer was informed, but there may be other problems with saving surveillance footage for a longer period of time.


Example 3. Customer confirms the terms and conditions via SMS

Right after the customer passed the personal information they will receive a SMS message. Once they send Yes to the SMS, they have confirmed the terms and conditions. They can click on the link to access the complete terms and conditions.

Is there a contract now between the customer and the company?

A contract can be entered by writing as well as by electronic means. As a result, the confirmation of the terms and conditions via text is a written confirmation of the contract. This also helps to prove what was agreed.

There is always a risk that you provided someone elses mobile phone number and that someone else replied Yes. In this case, the retailer has not entered the contract with the right person. Then you process for the performance of a contract but just the wrong person, which in some cases probably would be seen as excusable in a proceeding.

The answer also is a compliant Consent as required by GDPR so this confirmation is good in two ways.


Example 4. Customer receives second reminder via SMS

The customer did not respond to the Previous SMS and receives a reminder to accept the terms and conditions

Is there a contract now between the customer and the company?

Legal analyses according to GDPR:

You can argue there is a contract just by providing a phone number verbally, but it will be impossible to prove what was agreed. A confirmation by the customer by a SMS is a good way to prove that there exists a contract. Where a customer is silent or inactive regarding the earlier request for membership there is still no proof of what was agreed or said by the counter in the store. Sending a follow up request is a step in the right direction to obtain acceptance of the terms and conditions. However, most probably the company have the same risk as in above examples one and three.


Example 5. Customer gives opt-in on a second display at the POS

The customer types in its information on a tablet at the cash desk. After entering the mobile number they are asked to confirm the legal terms and conditions

Is there a contract now between the customer and the company?

Legal analyses according to GDPR:

This is the most clear version of an entered contract. If your company would have the possibility to register new members this way, there would not be room to doubt the legal ground for processing customer data.

Consent as legal ground

One thing that is important to keep in mind that the scenarios above may be considered as the customer giving its consent rather than entering a contract.

Contract as legal ground has been suggested by the Swedish retail association “Svensk Handel” as a recommendation to the Swedish retailers on March 8. What still needs to happen is that the Swedish authority Datainspektionen gives their feedback on this approach.

If we read the doctrine in the area there is much to believe that Contract as legal ground will not be allowed by Datainspektionen. Therefore we also choose to cover Consent as legal ground.

Giving consent is another legal ground for processing personal data and the requirements for gaining proper consent is stricter than the ones regarding contracts. If a person would initiate a proceeding against you it could claim that proper consent has not been given. It will then be your burden of proof to show that consent has been given in the meaning of the GDPR, or that your relation actually constitutes a contract and that the rules thereof should apply.

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

With the above analysis, it is clear that contract as a legal ground relates to situations where the performance of the said contract is conditioned on processing of data of the data subject, where the data subject is a party to the contract. Where processing data is not a condition precedent to performance of a contract and the data can be processed in any other way, Consent as a legal ground is a much preferred option. In summary, considering the daily and practical scenarios cashiers face, Consent as a legal basis for processing data is a more veritable way of staying the good side of the Data Protection Authorities!Here we can summarise that in fact it can be a good idea to prepare if the future interpretation of GDPR will shift towards consent as legal ground. And if the above examples would differ in any way?

The appropriate strategy when employing which legal basis to follow is simply to consider What the purpose is, whether it can be achieved in a different way and do you have a choice. Given the nature of the sort of personal data required for membership, the better option would be consent as a legal basis.

Earlier, we clarified that the consent as a legal basis for processing data is what is needed in these scenarios. So the question we should ask is whether accepting the terms and conditions verbally by the customer is consent? According to Recital 32 of the GDPR, the requirements for consent as a legal basis is that it should be clear affirmative act, which is freely given, specific, informed and unambiguous indication of acceptance by the customer to allow its personal information be processed for the purpose of becoming a member. Consent can be given by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. In order words, given consent verbally is permissible. However, if you consider Article 5 (2) of the GDPR on accountability. The cashier representing any retailer is legally obligated to demonstrate compliance as it relates to accountability. It is advisable to keep records of such verbal acceptance by the customer. This is enable sufficient justification when the need arises.

Start typing and press Enter to search