Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data subject request policy

This Data subject request policy will allow you to set up a policy that staff can refer to when responding to a request from an individual about their personal data that your business holds (a data subject request). Under the UK GDPR, individuals can make requests about their personal data that you collect, including requests to correct or delete personal data, or a request for a copy of the data and details of how your business uses it (known as a subject access request). There are both practical and legal steps that you need to take in order to minimise any disruption and fulfil your obligations under the UK GDPR when responding to a data subject request. Having this Data subject request policy in place will assist your business in identifying and responding appropriately to a data subject request. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT
See all solutions
Dealing with personal data during sales
Collecting personal data
Q1:Can I collect personal data from my customers during a sale?

You can collect the you need to carry out a sale (eg customer names, addresses and payment details), so long as you comply with law while doing so. It is important to take your obligations seriously; failure to comply with law can have serious financial and reputational consequences for your business, including fines of up to £17.5 million or 4% of your global annual (whichever is higher) in some cases.

See Q&A 2 for information on your legal obligations when collecting this way.

Q2:What are my legal obligations when I collect personal data from customers during a sale?

You should refer to Using personal data, policies and record-keeping for full details of your obligations, but the key points when collecting during a sale are as follows:

  1. you must have a lawful basis for . There are six lawful bases of , which are set out in detail in When to use personal data. In the context of a sale, your lawful basis could be that you need to process the data to fulfil a contract with the purchaser;

  2. you can only process for an explicit and legitimate purpose. If you collect the data for one purpose, you cannot then use it for some other purpose which the individual would not expect. For example, if you collect customers' details for the purposes of orders they have placed with you, you cannot use these details to start sending marketing emails unless you have their specific consent to do so. See Q&A 36 for a full explanation of how you can use you collect during a sale;

  3. you must ensure that you only collect data which is relevant and necessary for your purposes. In the context of a sale, collecting an individual's payment information, name and address would be fine because you need that information to carry out the sale. You may even need to know their age or date of birth if you are selling an age-restricted product. However, you must not ask for information which is irrelevant and unnecessary, for example: gender, sexual orientation or nationality;

  4. you must not keep for any longer than is necessary, and as a general rule you must try to keep it for the least amount of time possible. See The rules about storing data for further information about how to store personal information; and

  5. you must be clear with individuals from the outset about why you are collecting their and what you intend to do with it. In practice, this can usually be done by including a list of reasons for which you are collecting the data in a ; see When to use personal data and Privacy information for further information about what to include in your and How to tell people about a privacy policy and a cookie policy for information about how to communicate it. Templates for you to adapt for your business can be found here: Privacy policy and Cookie policy.

If you want to process , the rules are even more strict (see When to use personal data for information about when you can process ). You should not ordinarily need to process sensitive data for the purpose of a sale, so it will be difficult to justify doing so.

There are additional rules you need to comply with before you can send communications to generate sales. These rules vary depending on the method of communication you use to send your . These are not discussed in detail in this section; see Direct marketing - general for a full explanation.

Q3:Does Brexit affect my legal obligations when I collect personal data from customers during a sale?

It depends.

When the left the , the was retained in domestic law as the . Whilst your key obligations currently remain the same under both the and the , there are some important implications of Brexit that you need to be aware of.

  1. If your customers are only based in the

    From 1 January 2021, the applies to data controllers and data processors based in the , or those outside the whose data relates to offering or services to individuals in the , or monitors their behaviour. This means that it will apply to your of any collected from your customers and so your obligations will generally remain unchanged. You should review your privacy information and make any necessary changes (eg to remove references to the ); see How to tell people about a privacy policy and a cookie policy for more information.

    Bear in mind that if you transfer outside the during the course of your activities, you may need to take additional steps to ensure that the transfer is legally compliant following Brexit; see Sharing personal data outside the UK for more information.

  2. If you have customers based outside the

    If your based business has customers in the , from 1 January 2021 you will need to ensure that you comply with both the and the when you are their . Importantly, there are also implications for your treatment of that you collected from customers before 1 January 2021 (this is referred to as 'legacy data'); for more information see Sharing personal data outside the UK.

    You should also review your privacy information (eg your ) to make sure you have identified any changes you will need to make now that the has left the (see Privacy and cookies for further guidance).

    Finally, if you have customers in the but you do not have an office, branch or other establishment in an country, you may also be required to appoint a representative in the who can act on your behalf in relation to your compliance with the ; see Data protection obligations for more information.

    Note that full guidance on compliance with the is outside the scope of this service.

Collecting personal data when selling from a website or app
Q4:What are my data protection obligations when selling from a website or app?

Note that this answer highlights the key points you need to be aware of when selling from a website or app, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2). For general guidance on selling through a website, including the policies and terms and conditions you need to have in place, see Terms and conditions for online sales.

If you are running a website or app to sell your products you will be collecting from those who use it (eg payment information, names and addresses) and you must comply with law. Aside from taking customer information during the order process, you might also be using to store personal information that the customer enters. For example, on your website might store the customer's name, address and parts of their credit card information to make the payment process faster next time they make a purchase. You can find detailed information on the rules on use in Using cookies. The key points to be aware of are that you need to get user consent for most types of and you must provide the customer with information about how you use . You must obtain their consent the first time the customer uses the website or app, usually through a banner or pop-up window displayed prominently on your website. In terms of information about your use of , you should include this in your (a link to which must be provided in the banner notice or pop-up window). See Cookie policy and Privacy policy for templates you can adapt for your business

Note that if you sell your or services through an online marketplace (eg Amazon or eBay), then you will have signed up to that website's and you do not need your own; see Online marketplace versus own website for further information.

Q5:What are my data protection obligations when selling to children from a website or app?

If your website or app is likely to be accessed by children then, in addition to your general obligations (see Q&A 4), you should also comply with the 's . This contains 15 flexible standards, which set out measures websites and apps should put in place to ensure that children's data is safeguarded. For guidance about what these measures are, see Privacy and children.

Q6:Do my data protection obligations end after the sale is over when selling from a website or an app?

Your obligations do not end once you have concluded the sale. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected during sales. This is considered in detail at Q&A 36, but the key point is that you must always be open and transparent about how you are using personal information and have a lawful basis for it (there are six lawful bases, or reasons, for ; these are set out in detail in When to use personal data). If a customer orders a product online and gives you their home address for delivery of the product, you must not use this information for another purpose which they will not expect. For example, you should not their home address with third parties unless you have told the customer about this and you have a lawful basis for doing so. For further information on how you can use you have collected during sales, see Q&A 36.

Collecting personal data when selling over the telephone
Q7:What are my data protection obligations when selling over the telephone?

There are strict rules about when and how you can make sales and marketing calls. The rules are stricter if you want to make automated calls (ie where you wish to play a recorded message) as opposed to live calls. There are also specific rules about making calls to sell claims management services (eg for business which help people make PPI or personal injury claims) and making calls about occupational or personal pension schemes, which are outside the scope of this service. For detailed information on what you need to do before making any sales or marketing calls, you should refer to Direct marketing to individuals and Direct marketing to companies. See Q&A 8 for the key points.

Q8:What are the strict rules about making sales and marketing calls?

Note that this answer highlights the key points you need to be aware of when selling over the telephone, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2). For detailed information on what you need to do before making any sales or marketing calls, you should refer to Direct marketing to individuals and Direct marketing to companies.

The key points are as follows:

  1. before you make any kind of marketing call, check whether the person you want to call is registered with the () or, for businesses, the (). Calls to registered numbers are illegal, unless you have specific consent from the individual allowing you to call, regardless of the fact that their number is registered. If a number is not registered on the or and the individual has not otherwise told you they do not want to receive marketing calls, you are free to make live calls to the number, provided that, as best practice, either you have the individual's consent to do so, or calling that person is necessary for the of your business. If you are relying on , you should ensure that your calls are a targeted and proportionate way of making sales, and the individual's interests do not override yours (for example, frequent calls using pressure sales techniques are not likely to be appropriate for vulnerable people). See Direct marketing to individuals for more information;

  2. prior consent is required from both individuals and businesses if you wish to contact them via automated calling; consent given for live marketing calls is not sufficient;

  3. when making any form of marketing call you must always tell the recipient of the call who you are, allow your number to be displayed and give them your contact details if requested. You are legally required to provide individuals with a comprehensive setting out precisely how you will use , including use for purposes. To be strictly compliant with the , you should read out a script of your when making the sales call (for discussion of what information you should include in your and how to communicate it, see When to use personal data, Privacy information and How to tell people about a privacy policy and a cookie policy). For a template you can adapt for your business, see Privacy policy.

  4. Remember that both individuals and businesses can opt out of receiving sales and marketing calls if they wish, and you must not continue calling them if they do decide to opt out.

Q9:Do my data protection obligations end after the sale is over when selling over the telephone?

Your obligations do not end once you have concluded the sale. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected during sales. This is considered in detail at Q&A 36, but the key point is that you must always be open and transparent about how you are using personal information and have a lawful basis for it (there are six lawful bases of ; these are set out in detail in When to use personal data). If a customer gives you their phone number so that you can call them to discuss pricing options, you must not use this information for another purpose which they will not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so.

For other information on selling over the telephone such as the policies you need to put in place, how to deal with age-restricted products and what you need to say when making sales calls, see Telephone sales.

Collecting personal data when selling by mail-order
Q10:What are my data protection obligations when selling by mail-order?

Note that this answer highlights the key points you need to be aware of when selling via mail-order, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2). If you are selling via mail-order, you should refer to Mail-order sales for full details of your responsibilities.

If you are sending out a catalogue or brochure to your customers so that they can view your products and make a (or posting advertising material to named individuals as part of your marketing strategy) you must comply with law. If you are posting leaflets through the door of every house in an area without knowing the names of the individuals who live there, you are not and do not need to comply with law. However, you may still need to comply with other guidelines and codes on marketing.

Your key obligations when contacting individuals by post are that you must have a lawful basis for the data, have obtained the address fairly and lawfully and you must provide a to each individual. You should provide the when the customer first gives you their address, and thereafter make sure that customers can access your (eg by having it clearly accessible on your website).

There are six lawful bases you can rely on when data; these are set out in detail in When to use personal data. You can normally rely on your as the legal basis for sending a catalogue or brochure (ie you do not usually need express consent from the recipient), provided that it is a targeted and proportionate way of making sales, and the individual's interests do not override yours (for example, frequent contact may not be appropriate for vulnerable people).

If you are sending marketing or sales information by post, the strongly recommends that you check whether any of the recipients have signed up to the (), which contains the details of people who have registered not to receive unsolicited marketing mail. This will help you avoid sending material to people who do not want to receive it, which will save your business time, money and resources. For more detail on the , including how to sign up, see the MPS website.

For information on sending post to individuals, including the right to opt out of communications, see Direct marketing to individuals.

Q11:Do my data protection obligations end after the sale is over when selling by mail-order?

Your obligations do not end once you have concluded the sale. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected during sales. This is considered in detail at Q&A 36, but the key point is that you must always be open and transparent about how you are using personal information and have a lawful basis for it (there are six lawful bases of ; these are set out in detail in When to use personal data). If a customer gives you their address so that you can send them a product, you must not use this information for another purpose which they will not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so.

Collecting personal data when selling from a shop
Q12:What are my data protection obligations when selling from a shop or other business premises?

We often think of as something that belongs online. However, if you are selling and services from your business premises (eg if you run a shop, restaurant, hotel or hairdressing salon) law will still apply to you. You will often be collecting personal information from your customers. This section will explain what you need to do in a number of different situations that are likely to arise when selling from business premises.

How you deal with the collection of depends on the context in which you collected it.

  1. If you are using CCTV, see Q&A 13.

  2. If you take bookings or allow customers to make appointments, see Q&A 18.

  3. If you want to send e-receipts, see Q&A 21.

  4. If you ask customers to fill out feedback cards, see Q&A 24.

  5. If you want to run in-store raffles or prize draws, see Q&A 27.

Q13:Can I use CCTV or other video surveillance on my business premises?

Note that this answer highlights the key points you need to be aware of when using video surveillance on your business premises, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

In addition, there may be industry-specific CCTV requirements (eg for private or if you have supplying your CCTV) but these are currently outside the scope of this service. If you work in the industry, you can find out more about licensing requirements on the Security Industry Authority website.

If you use CCTV on your business premises, you will be capturing images of individuals (whether they are your customers, or passers by). An image of an individual is a form of personal information, which means that by using CCTV you are personal information and you must therefore comply with law.

You cannot use any form of video surveillance unless you have a lawful basis for doing so. There are six lawful bases for data ; these are set out in detail in When to use personal data. Even where you have a lawful basis, you should only use CCTV if it is reasonable and necessary to do so. The recommends that you conduct a () before installing CCTV, to consider the impact it may have on individuals and whether it is justifiable. You should keep a record of the result of the , including your findings as to whether the use of CCTV is necessary. See Data protection impact assessments for information on how to carry out a and Data Protection impact assessment policy for a template that will allow you to produce an internal policy to help you carry one out.

Q14:Do I have to tell people that I am using video surveillance?

You must inform people that you are using video surveillance before they enter into the area that is being monitored. The best way of doing so will be to display a sign in a prominent place at the entrance to your premises, and reinforcing this with additional signs inside the premises. If your CCTV camera captures the street or pavement outside your premises, you should also display a sign in the window of your premises or outside the building so that it can be clearly seen by passers by.

The sign must be clearly readable and unobstructed and it should be located at roughly eye level. It should state that video surveillance is in use on the premises and make it clear who is operating the system if this isn't already obvious. The sign must also explain why you are using video surveillance (eg as a measure against shoplifters), who to contact about the surveillance system and provide contact information. It should state that individuals have rights in relation to their . It should also state where people can find your full (eg on your website and also in hard copy), which should include details about your use of CCTV data. Note that if you will be providing this more detailed privacy information digitally, it must also be easily accessible in a non-digital format (eg on an information sheet or poster that are easily accessible). For information on what your should include see When to use personal data.

You should not install video surveillance systems in areas where customers and would expect privacy (eg changing rooms or toilets), unless you have very serious and specific concerns to deal with. Your video surveillance system must not record conversations between members of the public (ie it should record video only, without any audio). You should also ensure that any monitors which show the images being captured by your video surveillance system are kept in an area where members of the public cannot see them.

Q15:Are there any limitations on what I can use video surveillance for?

It is important that the video surveillance data you collect and store is limited to what is necessary. This will mean only placing cameras where they are absolutely necessary to achieve your specific , and retaining the captured footage only for as long as is needed to meet the purposes of recording them. See The rules about storing data for more information on how to store video footage captured by a surveillance system.

Q16:Can I share footage captured by my video surveillance with anyone outside my business?

Yes, however if you provide footage captured by your video surveillance system to anyone else outside your business for (eg to edit or analyse the data), you must have a lawful basis for doing so and a written . See Data processing agreements and data sharing agreements for more information on what this agreement must contain and Template data processing agreement for a template you can adapt for your business. However, if you are asked to disclose CCTV footage to the police to assist them in a criminal investigation, you may do so without a . You still have obligations, so you must only the that is necessary to assist with the investigation. If a crime has been reported to the police, you may also have to keep the CCTV images for longer than usual until the police have collected them.

If you are disclosing CCTV images to an individual who has made a access request, you may need to obscure the faces or features of other people in the footage. For more information on responding to data see Policies and procedures for dealing with data subject requests and Subject access requests. Also see Checklist for responding to a subject access request for a summary of the steps you should take when responding to a data .

Q17:Are there restrictions on how I can use personal data I have collected from CCTV?

Yes. Further use of is considered in detail at Q&A 36, but the key point is that you must always be open and transparent about how you are using personal information and have a lawful basis for it (there are six lawful bases of ; these are set out in detail in When to use personal data). For example, if you collect CCTV footage for the purpose of preventing crimes, you must not use this information for another purpose which individuals would not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so.

Q18:Can I collect customer information when taking bookings or appointments?

You can collect the customer information you need to take bookings (such as names, phones numbers and email addresses), but you must comply with law when doing so.

You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

Q19:What privacy information do I have to give customers about how I will use the personal data that I have collected when taking bookings or appointments?

You are legally required to give the customer a containing detailed privacy information when you collect their personal information. In this context, you will be collecting personal information at the time the customer gives you their contact details to make the booking. You should provide your to the customer at this point. You should provide the information in a way that the customer can easily access and understand it. You could read out a script of your full if the booking is being made over the phone or in person, but this may be impractical and time-consuming for you and the customer. Alternatively, you could provide your in the form of a leaflet to every customer who makes a booking in person, or display a clear and readable printout of your next to the cash register (or wherever bookings are made). If customers book online, it will be easier to provide your to them in full. You should include a link on your website and make sure you draw attention to it during the booking process (eg by using a pop-up or a tick box to confirm the customer has read your before submitting their personal information).

Due to the level of detail you are required to provide (see When to use personal data for guidance on what you need to include in your , Privacy policy for a template that you can adapt for use on your website and Privacy information for guidance on how and when to use it), it may be useful to provide the information in a variety of ways. The encourages such a blended approach as often this is the most effective way of providing the information.

The approach set out below is an example of a blended approach of providing privacy information when collecting contact details from someone who has made a booking in person or over the phone:

  1. clearly explain to the customer orally that you will use their information to, for example, record their booking, send them a confirmation email or to contact them if there is a problem with the booking;

  2. tell the customer that they can find detailed information about how you use personal information in your , and tell them where this is (eg on your website or accessible through a link on a booking confirmation email);

  3. when you send the booking confirmation email, make sure that it indicates clearly where the customer can find your (eg by including a link to the using clear wording such as, "You can find out more about how we use your personal information here.");

  4. if you take bookings manually and are not sending a booking confirmation email, you will need to provide the customer with your in another form (eg by reading it out over the phone or providing them with a printed leaflet);

  5. make sure that your contains detailed information about how you use , including how you use email addresses collected for the purpose of making a booking. See Privacy policy for a full template that you can use on your website, and see When to use personal data and Privacy information for further information on what you need to include in your ; and

  6. train your so that they understand why your business is collecting customer information and can provide the customer with the appropriate information on request.

Q20:Do my data protection obligations end when I have taken the booking or made the appointment?

Your obligations do not end once you have taken the booking, or even once the customer has attended his appointment. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected during sales. This is considered in detail at Q&A 36, but the key points are that you must always be open and transparent about how you are using personal information and that you have a lawful basis for it (for further information on the meaning of a lawful basis and how to choose the correct one for your activity, see When to use personal data). If a customer gives you their email address so that you can contact them about their booking, you must not use this information for another purpose which they will not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so. For further information on how you can use you have collected during sales, see Q&A 36.

Q21:Can I send e-receipts to customers?

Note that this answer highlights the key points you need to be aware of when collecting customer email addresses to send e-receipts, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

You can send e-receipts, but as this involves the use of personal information (ie the customer's email address), you must comply with law when doing so.

See Q&A 22 for guidance on the privacy information that you need to give to customers when taking email addresses.

Q22:What privacy information do I have to give customers when taking email addresses to send e-receipts?

You are legally required to give the customer a containing detailed privacy information when you collect their personal information. In this context, you will be collecting personal information at the time the customer gives you their email address so you can send them an e-receipt. you should provide your to the customer at this point. You should provide the information in a way that the customer can easily access and understand it. You could read out a script of your full before the customer gives their email address, but this may be impractical and time-consuming for you and the customer. Alternatively you could provide your in the form of a leaflet to every customer whose email address you collect, or display a clear and readable printout of your next to the cash register.

Due to the level of detail you are required to provide (see Privacy information for information on what you need to include in your ), it may be useful to provide the information in a variety of ways. The encourages such a blended approach as often this is the most effective way of providing the information.

The approach set out below is an example of a blended approach of providing privacy information when collecting contact details from someone who has made a booking in person or over the phone:

  1. clearly explain to the customer that, if they agree, you will use their email address to send them an e-receipt for their purchase;

  2. tell the customer that they can find information about how you use personal information in your , and tell them where this is (eg on your website);

  3. when you send the e-receipt, make sure that it indicates clearly where the customer can find your (eg by including a link to the using plain wording such as, "You can find out more about how we use your personal information here.");

  4. ideally, send the e-receipt while the customer is still at the cash register or very shortly thereafter;

  5. make sure that your contains detailed information about how you use , including how you use email addresses collected for the purpose of sending a receipt. See Privacy policy for a full template that you can use on your website, and see When to use personal data and Privacy information for further information on what you need to include in your ; and

  6. train your so that they understand why your business is collecting email addresses and can provide the customer with the appropriate information on request.

Q23:Do my data protection obligations end once I have sent the e-receipt?

Your obligations do not end once you have sent the e-receipt. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected during sales. This is considered in detail at Q&A 36, but the key points are that you must always be open and transparent about how you are using personal information and have a lawful basis for it (for further information on the meaning of a lawful basis and how to choose the correct one for your activity, see When to use personal data). If a customer gives you their email address so that you can send them an e-receipt, you must not use this information for another purpose which they will not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so. For further information on how you can use you have collected during sales, see Q&A 36.

Q24:Can I collect customer information for the purpose of getting feedback on my goods or services?

Note that this answer highlights the key points you need to be aware of when collecting customer information in the context of service feedback, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

Businesses often use comment cards or online surveys to collect feedback from customers and may ask for the customer's email address while doing so. You should not collect a customer's personal information where it is not necessary and you are simply trying to obtain feedback on your product or service. You should only collect the personal information you need for your purposes, for example, you might ask customers who have had a negative experience to provide their contact details so that you can resolve the issue.

If you intend to use customer information you collect via feedback forms for , you need to make this clear to the customer when they are submitting their feedback. You do not always need consent for , depending on how you plan to do it (ie email, phone or post) but it will often be appropriate and helps to build customer trust. For more information on what you need to do before you can use customer information for , see Q&A 38.

Q25:What privacy information do I have to give to customers when collecting customer data in the context of service feedback?

In addition, you are legally required to give the customer a containing detailed privacy information when you collect their personal information. You should print this information clearly on the comment card or display it prominently on the online survey (eg via a link or pop-up window).

Due to the level of detail you are required to provide (see When to use personal data for information on what you need to include in your ), it may be useful to provide the information in a variety of ways. The encourages such a blended approach as often this is the most effective way of providing the information.

The approach set out below is an example of a blended approach of providing privacy information when collecting contact details from someone who has made a booking in person or over the phone.

  1. (if you intend to use customer information for purposes) include a notice on the comment card requesting consent for the use of customer information for purposes; print the key privacy information on the comment card, including who you are, what information you are collecting and what you will use it for;

  2. tell the customer where they can find your full (eg on your website);

  3. make sure that your contains detailed information about how you use , including how you use email addresses collected for the purpose of getting customer feedback. See When to use personal data for information on what you need to include in your , and Privacy policy for a full template that you can use on your website; and

  4. train your so that they understand why your business is collecting email addresses and can provide the customer with the appropriate information on request.

Q26:Do my data protection obligations end once I have collected the customer's information?

Your obligations do not end once you have collected the customer's information. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing . In addition, there are restrictions on how you can use you have collected from your customers. This is considered in detail at Q&A 36.

Q27:Can I collect customer information to run in-store competitions or prize draws?

Not that this answer highlights the key points you need to be aware of when collecting customer information in the context of in-store competitions, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

You can collect customer information to run competitions, but as this involves the use of personal information (ie the customer's email address), you must comply with law when doing so. It might be something as simple as a customer dropping a card with their name and email address into a bowl, but this is still personal information.

See Q&A 28 for guidance on the privacy information that you need to give to customers when collecting their information in this context.

Q28:What privacy information do I have to give customers when collecting customer information in the context of in-store competitions?

You are legally required to give the customer a containing detailed privacy information when you collect their personal information. In this context, you will be collecting personal information at the time the customer gives you their contact details to enter into the draw (eg when they drop their business card into the bowl). To make sure you are complying with the , you could provide your in the form of a leaflet to every customer who enters the draw, or display a clear and readable printout of your next to the bowl for collecting contact details. Alternatively, it may be easier to run prize draws online where customers can enter on a website. If you do this, you could include a link to your full on your website and make sure you draw attention to it before the customer enters their personal information (eg by using a pop-up or a tick box to confirm they have read the policy).

Due to the level of detail you are required to provide (see When to use personal data for information on what you need to include in your ), it may be useful to provide the information in a variety of ways, eg a prominently displayed printout or sign that indicates where information can be obtained on your website. The encourages such a blended approach as often this is the most effective way of providing the information.

Q29:Do my data protection obligations end once I have collected the customer's information?

Your obligations do not end once you have collected the customer's information. For example, you must only keep data that is necessary and you must store it securely – see Q&A 40 for further information on your obligations when storing .

In addition, there are restrictions on how you can use you have collected from your customers. This is considered in detail at Q&A 36, but the key points are that you must always be open and transparent about how you are using personal information and have a lawful basis for it (for further information on the meaning of a lawful basis and how to choose the correct one for your activity, see When to use personal data). If a customer gives you their email address so that they can enter a prize-draw, you must not use this information for another purpose which they will not expect. For example, you should not it with third parties unless you have told the customer about this and you have a lawful basis for doing so. For further information on how you can use you have collected during sales, see Q&A 36.

Collecting data for NHS Test and Trace
Q30:Do I need to collect data from visitors and customers for NHS Test and Trace?

No. Routine contact tracing in England ended on 24 February 2022. The Government is no longer encouraging businesses in certain sectors to collect data from , customers and other visitors to their premises for NHS Test and Trace.

In Wales, contact tracing ended in March 2023. Businesses are advised to consider whether collecting information from visitors and customers on communicable diseases such as norovirus or coronavirus might be appropriate as part of ongoing mitigation measures for communicable diseases. Any such collected information should be stored appropriately and kept no longer than absolutely necessary and must be securely disposed of or deleted by 21 days of the date the person was present on the premises.

For guidance on how to store and securely dispose of , see Data retention.

Q31:Can I refuse entry to my premises to individuals who do not provide me with their personal information for contact tracing?

It is no longer a legal requirement for businesses to collect from customers and other visitors to their business premises (see Q&A 31). In light of this, businesses are no longer legally required to take all reasonable steps to prevent individuals who refused to provide that information from entering their premises.

Q32:How do I comply with the UK GDPR when collecting customers' details for NHS Test and Trace?

Routine contact tracing in England ended on 24 February 2022, and in Wales in March 2023. The Government is no longer encouraging businesses in certain sectors to collect data from , customers and other visitors to their premises for NHS Test and Trace. The has advised businesses to review whether it is still necessary for them to keep collected during the COVID-19 pandemic in accordance with Government guidance in place at the time. You should securely dispose of any that is no longer required. For guidance on how to securely dispose of , see Data retention.

Businesses in Wales are advised to consider whether collecting information from visitors and customers on communicable diseases such as norovirus or coronavirus might be appropriate as part of ongoing mitigation measures for communicable diseases. Any such collected information should be stored appropriately and kept no longer than absolutely necessary and must be securely disposed of or deleted by 21 days of the date the person was present on the premises.

For further guidance about your obligations when , see Data protection obligations.

Remember that any individuals whose data you are have certain rights in relation to that data. You must ensure that you have processes in place to deal with any requests by individuals to exercise those rights. See Individuals' access to personal data for further guidance.

Q33:How long do I need to keep information collected for NHS Test and Trace?

Routine contact tracing in England ended on 24 February 2022, and in Wales in March 2023. The Government is no longer encouraging businesses in certain sectors to collect data from , customers and other visitors to their premises for NHS Test and Trace. The has advised businesses to review whether it is still necessary for them to keep collected during the COVID-19 pandemic in accordance with Government guidance in place at the time. You should securely dispose of any that is no longer required. For guidance on how to securely dispose of , see Data retention.

Businesses in Wales are advised to consider whether collecting information from visitors and customers on communicable diseases such as norovirus or coronavirus might be appropriate as part of ongoing mitigation measures for communicable diseases. Any such collected information should be stored appropriately and kept no longer than absolutely necessary and must be securely disposed of or deleted by 21 days of the date the person was present on the premises.

If your business is in Wales and has determined that it is reasonable and proportionate for you to collect this information (see Q&A 30), you should keep it for 21 days from the date of collection, after which you should ensure that it is securely deleted. For guidance about how to dispose of securely, see Data retention.

Note that if you collect personal information for other purposes, you can keep it for longer provided that you do not keep it for longer than necessary for the purpose for which it was collected, and you are complying with your obligations at all times. that has been collected for the specific purpose of the contact tracing scheme should not be used for any other reason (eg for marketing purposes).

Q34:Who can I share personal data with that I have collected for NHS Test and Trace?

Routine contact tracing in England ended on 24 February 2022 and in Wales in March 2023. The Government is no longer encouraging businesses in certain sectors to collect data from , customers and other visitors to their premises for NHS Test and Trace. Businesses in England that formerly participated in the scheme have been asked to securely delete any data that was previously obtained for this purpose.

Q35:Can I check my visitors' or customers' COVID status?

It is no longer a legal requirement for certain events and venues (eg nightclubs) to check, as a condition of entry, that all visitors aged 18 years or over are fully vaccinated, have proof of a negative test in the last 48 hours, or have an exemption. Equally, from 12 May 2022, the NHS COVID Pass is no longer available for domestic use by businesses to check an individual's COVID status.

If you are collecting information about the COVID status of your visitors or customers, you will need to consider whether it is appropriate for you to do so in the specific context of your business, taking account of health and safety regulations, privacy rights and law.

See When to use personal data for more guidance about your obligations when , including what criteria you can rely on. If your is likely to result in a high risk to your visitors or customers (eg because they will be denied access to your services), then you will also be required to carry out a () first. See Data protection impact assessments for more information about DPIAs).

You will need to consider whether information about your customers' and visitors' COVID status is necessary, fair and proportionate (eg because of the risk posed to others). Relevant considerations will include any specific guidance for your sector and the specific health and safety risks faced by your business.

If you determine that your business can justify information about your customers' or visitors' COVID status, make sure you keep a record of your decision-making process. You must ensure you have proper processes in place for handing securely and confidentially, and update your privacy information so that your customers and visitors are provided with information about why you need the data and what you will do with it (eg on your website, on social media and/or on posters around your premises). You should not information about an individual's COVID status with anyone else unless you have a lawful basis for doing so and you must make sure you do not keep this information for longer than necessary (see Data retention).

Using and storing sales data
Q36:Can I use the personal data I have collected from my customers during a sale for other purposes?

This answer explains the general position on using data for purposes other than those for which you originally collected the data. There are stricter rules for in particular, so you should refer to Q&A 38 for more information about this. For specific information in the context of sharing and storing customer data, see Q&A 39 and Q&A 40.

You can use for purposes other than those for which you collected the data in the first place, but you must comply with law when doing so. The rules depend on what your lawful basis of was for the original purpose you collected the data (see When to use personal data for further information on the meaning of a lawful basis and how to choose the correct one for your activity). If your original lawful basis for the data was consent, you need to follow slightly different rules than if your lawful basis was something else (eg or performance of a contract) .

In the context of a sale, your lawful basis will often be that you need to process customer information in order to fulfil your sales contract with them. In this case, because you were not originally relying on individual consent, you can use for other purposes if:

  1. you can find and document a new lawful basis for this new purpose (which must be new and unanticipated); or

  2. the new purpose is compatible with the original purposes, in which case you do not need a new lawful basis.

You still need to give the customer information about the new of their .

If the original lawful basis was consent, then you always need to find a new lawful basis to process the data for a new purpose. It does not matter that the new purpose is compatible with the original one; you still need to show that you have a lawful basis for the new purpose.

See Q&A 37 for guidance on deciding whether the new purpose is compatible with the old purpose.

Q37:How can I decide whether the new purpose is compatible with the old purpose?

When deciding whether the new purpose is compatible with the old purpose, you should consider:

  1. whether there is a link between the new purpose and the original purpose of ;

  2. the context in which you collected the data, in particular, your relationship with the individual and what they would reasonably expect;

  3. the nature of the , eg whether the data is sensitive;

  4. the possible consequences of the intended further for ; and

  5. whether you are using appropriate measures to protect the data (eg encryption).

The two examples below put this into context:

Example 1: Midnight Chocolates Ltd sells luxury dark chocolate from its website. When placing an order, customers submit their name, address and payment information so that the can fulfil the order. Midnight Chocolates Ltd is personal information on the basis that the is necessary to perform its contract with the customer.

  1. Midnight Chocolates Ltd needs to customer information with another for administration purposes, something the did not tell customers when they submitted their personal information. Sharing data within for administration purposes is compatible with the original purpose for which the data was collected so Midnight Chocolates Ltd does not need to find a new lawful basis for . Customers would not be surprised if their data was used for this purpose, and it does not impact on them as individuals.

  2. Midnight Chocolates Ltd wants to customer information with Choxperience, a that runs chocolate making classes, so that Choxperience can contact customers with details of its latest promotions. Midnight Chocolates Ltd would need a new lawful basis for sharing the data in this way, because it is not compatible with the original purpose for which the data was collected. Sharing data with third parties so that the can advertise to the customer is very different from taking customer information to process an order. Customers would not expect Midnight Chocolates Ltd to use their data in this way and it will have an impact on individuals as they may start to receive unwanted marketing communications from Choxperience. Midnight Chocolates Ltd will need to identify and document a new lawful basis for customer data for this purpose.

Example 2: City Tours Ltd sends customers who have previously booked tours regular emails advertising its new tour locations. City Tours Ltd does so on the basis that these customers have given their consent to their personal information being used in this way.

  1. City Tours Ltd wants to use customer names and email addresses to compile some statistics for its upcoming . This is compatible with the original purpose for which City Tours Ltd collected the data. However, because City Tours Ltd originally processed customer data on the basis of their consent, it still needs to find and document a lawful basis for this new use of their data (eg of the ).

  2. City Tours Ltd wants to customer email addresses with Holiday Packages Ltd, so that Holiday Packages Ltd can send them emails about its latest deals. Sharing the data in this way is a new form of which is not compatible with the original purpose for which City Tours Ltd collected the data. Because City Tours Ltd originally processed customer data on the basis of consent, if it wants to process data for a new purpose, it will need to get further consent from the customers.

Note: you have a legal obligation to comply with individual requests relating to . Individuals can ask you to provide them with access to personal information you hold on them, delete any you hold, stop their , transfer their or amend it. For information on how to deal with such requests, see Data subject requests in general and for a template policy that your can use when dealing with requests, see Data subject request policy.

Q38:Can I use personal data I have collected from my customers during a sale for direct marketing purposes?

If a customer gives you their contact information during the course of a sale, you must not assume that they are also happy for you to use their information for . For you will generally need to get the individual's consent, depending on the method of communication (eg email, text, phone calls etc).

The key points are as follows, but for full information on the requirements for see Direct marketing - general.

  1. You usually do not need consent to make live marketing calls, unless the number is registered with the () or the (). However, individuals and businesses can opt out of receiving such calls if they wish, and you must not continue calling them if they do decide to opt out. Note that if you want to make calls to sell claims management services (eg for business which help people make PPI or personal injury claims) or make calls about occupational or personal pension schemes, you must meet certain criteria which is likely to include obtaining specific consent. Rules on making these types of calls are outside the scope of this service.

  2. Prior consent is required from both individuals and businesses if you wish to contact them via automated calling; consent given for live marketing calls is not sufficient .

  3. You do not necessarily need consent to send marketing information to named individuals by post, but you need to have a lawful basis for doing so.

  4. If you want to send emails, you will usually need specific consent from the customer. In order to get valid consent, you must ask the customer to positively opt-in, which means you cannot use pre-ticked boxes, systems or assume that someone has consented from their silence or inactivity. For a full explanation of when you will need consent to send marketing emails see Obtaining consent for direct marketing.

Note that when any personal information, you must also give the individual detailed information about how you will use their personal information. See Q&A 2 and Using personal data, policies and record-keeping for further information on what you must do when collecting customer data.

Q39:Can I share personal data I have collected from my customers during a sale?

This answer explains the general position on sharing collected during a sale, but you should refer to The rules about sharing personal data for full details of your legal obligations.

You can provided you have a lawful basis for doing so and you have been clear and transparent with the customer from the outset about any planned data sharing (ie why you will be sharing the and who you will be sharing it with). There are six lawful bases of ; these are set out in detail in Using personal data, policies and record-keeping.

If you did not originally anticipate sharing customer data and have not told your customers about this, sharing the data would be a new activity with a different purpose from that for which you originally collected the data.

You should refer to Q&A 36 for a full explanation of what you need to do when you want to use data for a new purpose, but the key points are as follows:

  1. you may need to identify and document an additional lawful basis for the new type of . However, if the new purpose is compatible with the old one and your original lawful basis was something other than consent, you do not need to identify a new lawful basis. This is explained in more detail in Q&A 36;

  2. sharing collected during a sale is likely to be incompatible with the original purpose for which the data was collected. This is because the customer would not necessarily expect you to their data and it could have a significant impact on them (eg if they begin to receive marketing communications). The position will depend on who you are sharing it with – for example, if you are sharing the data with a in your corporate group for internal purposes, then this may be compatible with your original purpose and not require a new lawful basis. Sharing with third parties is more likely to need a new lawful basis.

  3. When any personal information you must also give the individual detailed information about how you will use their personal information. See Q&A 2 and Using personal data, policies and record-keeping for further information on what you must do when collecting customer data.

Note that you have a legal obligation to comply with individual requests relating to . Individuals can ask you to provide them with access to personal information you hold on them, delete any you hold, stop their , transfer their or amend it. For information on how to deal with such requests, see Data subject requests in general and for a template policy that your can use when dealing with requests, see Data subject request policy.

Q40:Can I store personal data I have collected from my customers during a sale?

There are important rules about storing that you need to be aware of. This answer explains the key points, but you should refer to The rules about storing data for a full explanation of what you need to do when storing .

You are permitted to store where you have a lawful basis for doing so. There are six lawful bases of ; these are set out in detail in When to use personal data.

If you did not originally anticipate storing customer data and have not told your customers about this, storing the data would be a new activity with a different purpose from that for which you originally collected the data.

You should refer to Q&A 36 for a full explanation of what you need to do when you want to use data for a new purpose, as the answer depends on what your original lawful basis for was. The key points are as follows:

  1. you may need to identify and document an additional lawful basis for the new type of . However, if the new purpose is compatible with the old one and your original lawful basis was something other than consent, you do not need to identify a new lawful basis. This is explained in more detail in Q&A 36;

  2. storing collected during a sale is likely to be compatible with the original purpose for which the data was collected, depending on how long you are storing the data and why you are doing so. This is because the customer would probably expect you to store their data for some time (certainly until the sale has been concluded), and doing so will not have a significant impact on them. If you are storing customer data until the sale is concluded, this is compatible with the original purpose and you will probably not need to identify an additional lawful basis (unless the original collection was based on customer consent, on which see Q&A 36). If you are storing customer data for a very long time, you may need an additional lawful basis to do so.

When storing you must also do the following (these are the key points, but see The rules about storing data for full details):

  1. only keep that is necessary for the purpose for which you are storing it;

  2. make sure that you store is accurate and kept up-to-date where necessary;

  3. not keep data for any longer than necessary; and

  4. put in place appropriate technical and organisational measures to ensure that is stored securely.

Q41:Can I use a customer's personal data as part of a loyalty scheme?

Note that this answer highlights the key points you need to be aware of when using customers' as part of a loyalty scheme, but it does not explain all of your more general obligations. You should refer to Using personal data, policies and record-keeping for a full explanation of what you need to do when (the key obligations are also highlighted in Q&A 2).

Yes, you can use customers' as part of a loyalty scheme. However, you must ensure that you comply with law in the way that you collect, store and use that data for the loyalty scheme.

Some loyalty schemes do not involve the of customers' . For example, many coffee shops provide loyalty cards which are stamped on each purchase and entitle the bearer to a free coffee after they have collected a certain number of stamps. The customer does not provide any of their personal information when receiving the card, so law does not apply.

The majority of loyalty schemes, however, do involve (eg a customer's name, address, phone number or email address). If you intend to collect or use any data for the loyalty scheme which could be used to identify the customer, you must ensure that you take the steps set out below.

  1. provide a when collecting the customer's information. See Q&A 42 for more information;

  2. secure the customer's consent to process their . See Q&A 43 for more information;

  3. secure separate consent to use the customer's data for . See Q&A 44 for more information;

  4. carry out a for activities. See Q&A 45 for more information; and

  5. ensure any sharing of the customer's is done lawfully. See Q&A 46 for more information.

Q42:What privacy information do I have to provide customers who are taking part in my loyalty scheme?

You are legally required to give the customer a containing detailed privacy information when you collect their personal information when they sign up for the loyalty scheme. In practice, you can provide this as a leaflet (for customers signing up to a loyalty scheme in person) or web page (for online sign-ups) before the customer provides their personal information. You could include your as part of a sign-up form, so the customer has to read past the , and perhaps tick a box to confirm they have read it, before they get to the part where they input their details. See When to use personal data and Privacy information for more information on what information must be included in your .

See Q&A 41 for a list of the other steps you need to take when as part of a loyalty scheme.

Q43:Do I need customer consent to process their data as part of my loyalty scheme?

In order to collect and use a customer's data as part of a loyalty scheme, you need their consent. The customer must to the loyalty scheme (ie you cannot have a system where customers are automatically signed up for the loyalty scheme with the chance to opt out) and give you permission to use their data for the scheme. You must make sure you request consent in the right way, otherwise it will be invalid; see Consent to use personal data for information on how to get valid consent.

If you intend to use loyalty scheme members' contact information to send them messages, you will need to comply with additional rules. Depending on the method of you are intending to use (ie email, text or phone calls) you will usually need the customer's specific consent to the use of their personal information for . If a customer has given consent for the use of their personal information as part of the loyalty scheme, this is not sufficient to cover the use of their personal information for .

For more detail on using personal information for see Direct marketing - general.

See Q&A 41 for a list of the other steps you need to take when as part of a loyalty scheme.

Q44:Do I need separate customer consent if I want to use their data for profiling?

is when an individual's is automatically analysed to draw conclusions about that person (eg about their personal preferences, interests, location or behaviour). Many loyalty schemes use to provide personalised benefits to customers. For example, some loyalty schemes analyse customers' purchasing history to predict what they will buy in the future and then provide coupons or discounts for those predicted purchases; this is a form of .

is restricted by law, and if you intend to use customer's in this way for your loyalty scheme, you must ensure that you have a lawful basis for doing so. The appropriate lawful basis for will usually be individual consent. The customer must consent specifically to the use of their data for , so this consent must be provided separately to any general consent to of . For example, when the customer is signing up to the loyalty scheme, in addition to a box they must tick to confirm that they consent to data , you should include another box to confirm they consent to the use of their data for . As with all other forms of consent to data , the customer's consent to must be given on an opt-in basis after you have clearly explained why the data is needed and how it will be used. You must also tell the customer that they can withdraw their consent at any time and you need to make it easy for them to do so. For more information on lawfully securing a customer's consent to data see Consent to use personal data. You must also provide the customer with information on how to access the information you are collecting about them, and provide a simple way for them to correct or challenge the accuracy of the data held or challenge a particular decision made about them, or request that you reconsider an automated decision. You must also comply with your obligations to store the data securely and for an appropriate period of time. See Q&A 40 and The rules about storing data for more information.

You should also be aware that when customers' for purposes, you are under an obligation to ensure that your automated analysis is accurate and appropriate for the in question, so that no one is disadvantaged by an error in your system. You must avoid based on , unless the customer has given explicit consent to the use of their sensitive personal information (ie additional consent on top of consent the customer has given for generally).

See Q&A 41 for a list of the other steps you need to take when as part of a loyalty scheme.

Q45:Do I need to carry out a data protection impact assessment for data profiling?

is a high-risk activity, so you may need to perform a () to show that you have considered the risks and how you will address them. For information on how to do this, see Data protection impact assessments, and for a template policy that you can use to help you comply with your obligations, see Data Protection impact assessment policy.

See Q&A 41 for a list of the other steps you need to take when as part of a loyalty scheme.

Q46:Can I share customer data collected as part of a loyalty scheme?

Some loyalty schemes will require customers' to be shared with a (eg where the loyalty rewards are administrated by a , or in the case of shared loyalty schemes involving multiple businesses offering the same rewards system). Any sharing of should be carried out very carefully, as there are a number of obligations you must comply with to do so. In particular, you should make it clear to the customer that you will be sharing their with a , explaining in clear language which pieces of data will be shared and why it is necessary to do so. For a detailed explanation of the laws you must comply with in order to with a see The rules about sharing personal data.

See Q&A 41 for a list of the other steps you need to take when as part of a loyalty scheme.