Are you a retailer and creating new contracts with customers at POS?

Since data capture is our bread and butter we put together a few helpful tips for you. We hope these guidelines and different examples can help you in the work towards the General Data Protection Regulation deadline in May 25 this year.

Contract as legal ground

One of the legal grounds for processing the data of customers is the performance of a contract. Here are a few helpful scenarios that we illustrated for you with a legal analysis of each situation.

Example 1. Customer enters a membership contract by giving their name and phone number to the cashier to become a member

This is a common scenario. The customer simply offers a form of identifier verbally. The cashier will key in this information into the Point of Sale computer system. Please note the legal terms and conditions are available in a folder facing the customer.


Is there a contract now between the customer and the company?

Legal analysis according to GDPR: 

A verbal contract has been entered but there is a risk with relying solely on verbal confirmation. The main concern is that there is no proof of this person accepting the terms and conditions, nor is there proof that the store staff provide the correct information. In this case it is difficult to prove that the processing of information is due to the performance of a contract. In the event of a compliance investigation or legal cause, there is a big risk that the retailer lack the requirements of GDPR and becomes subject to high fines.

Example 2. After passing the phone number the customer accepts the terms and conditions verbally

This scenario would take the previous example one step further. After passing personal information we ask the customer if they accept the terms and conditions of the contract. Please note the legal terms and conditions are still available in a folder facing the customer.


Is there a contract now between the customer and the company?

Legal analysis according to GDPR:

Also this depends on how risky you want to be. The main problem is the same as the example above and how can the retailer can prove that the information was given by the customer and not gained by other means. If you save the surveillance camera footage and you have audio recording so you can hear what was said, you will have a stronger case proving that the customer was informed, but there may be other problems with saving surveillance footage for a longer period of time.

Example 3. Customer confirms the terms and conditions via SMS

Right after the customer passed the personal information they will receive a SMS message. Once they send Yes to the SMS, they have confirmed the terms and conditions. They can click on the link to access the complete terms and conditions.


Is there a contract now between the customer and the company?

Legal analysis according to GDPR:

A contract can be entered by writing as well as by electronic means. As a result, the confirmation of the terms and conditions via text is a written confirmation of the contract. This also helps to prove what was agreed.

There is always a risk that you provided someone elses mobile phone number and that someone else replied Yes. In this case, the retailer has not entered the contract with the right person. Then you process for the performance of a contract but just the wrong person, which in some cases probably would be seen as excusable in a proceeding.

Example 4. Customer receives second reminder via SMS

The customer did not respond to the Previous SMS and receives a reminder to accept the terms and conditions


Is there a contract now between the customer and the company?

Legal analysis according to GDPR:

You can argue there is a contract just by providing a phone number verbally, but it will be impossible to prove what was agreed. A confirmation by the customer by a SMS is a good way to prove that there exists a contract. Where a customer is silent or inactive regarding the earlier request for membership there is still no proof of what was agreed or said by the counter in the store. Sending a follow up request is a step in the right direction to obtain acceptance of the terms and conditions. However, most probably the company have the same risk as in above examples one and three.

Example 5. Customer gives opt-in on a second display at the POS

The customer types in its information on a tablet at the cash desk. After entering the mobile number they are asked to confirm the legal terms and conditions.


Is there a contract now between the customer and the company?

Legal analysis according to GDPR:

This is the most clear version of an entered contract. If your company would have the possibility to register new members this way, there would not be room to doubt the legal ground for processing customer data. The sequence of event should be that the terms and conditions are given. The customer accepts it and then its personal information gathered for processing. After giving its personal information, a contract could be claimed to be entered.

Verifying membership at point of purchase

A situation that often arises within the retail industry is the possibility for customers to verify their membership by providing a phone number or personal number at the cash desk.

We made some notes in this chapter that can be helpful to know. Article 6-7 and Recital 32 of the GDPR tell us the law expects. These scenarios below may be of help.

Example 1a: Should the company still provide the possibility of customers identifying as members?

Yes. Here are a few scenarios based on popular ways of identifying customers


If you have second displays in the store you can allow the customer to scan a driver’s license themselves or hand in some ID or driver's license to the cashier. If a customer does not have a driver’s license it is preferred they can write down their social security number so it is not overheard by other customers.

Mobile number, email

If they need to pass a mobile number and/or email to identify themselves we don’t recommend they will pass on their mobile number verbally. Preferably the customer can type their mobile number onto a second display screen for example.

What is important in both cases is what kind of information you display upon identifying a member.

Example 1b: Could the cashier verify the customer’s membership if the customer tells its information verbally?

We don’t recommend customers passing information verbally as this can be overheard by others. If a customer does not have an ID card or the possibility to enter their data themselves on a second display you can always ask them to write it down on a paper. The cashier must be trained not to provide any personal information or additional information to the person. One more routine could be to destroy papers containing personal information.

With this said the cashier is verifying the customer’s membership.

Example 2: Can you display bonus points earned to an identified member?

Yes. Display of customer bonus point may not be considered as personal information under the GDPR. Displaying on a second display that the member has certain bonus points without disclosing any information regarding personal data should be ok. Simply ensure that no other information is displayed intentionally or accidentally.