Dealing with personal data during sales

When you are selling products or services you will be about your customers. This section deals with your obligations in this context, including when and how you can collect and how you can use it. It provides guidance about your particular obligations when selling from your business premises, by phone or via a website, app or mail-order. It also covers the use of CCTV, e-receipts, bookings, getting customer feedback and running competitions.

Collecting personal data

  1. 1.Can I collect personal data from my customers during a sale?
  2. 2.What are my legal obligations when I collect personal data from customers during a sale?
  3. 3.Does Brexit affect my legal obligations when I collect personal data from customers during a sale?

Collecting personal data when selling from a website or app

  1. 4.What are my data protection obligations when selling from a website or app?
  2. 5.What are my data protection obligations when selling to children from a website or app?
  3. 6.Do my data protection obligations end after the sale is over when selling from a website or an app?

Collecting personal data when selling over the telephone

  1. 7.What are my data protection obligations when selling over the telephone?
  2. 8.What are the strict rules about making sales and marketing calls?
  3. 9.Do my data protection obligations end after the sale is over when selling over the telephone?

Collecting personal data when selling by mail-order

  1. 10.What are my data protection obligations when selling by mail-order?
  2. 11.Do my data protection obligations end after the sale is over when selling by mail-order?

Collecting personal data when selling from a shop

  1. 12.What are my data protection obligations when selling from a shop or other business premises?
  2. 13.Can I use CCTV or other video surveillance on my business premises?
  3. 14.Do I have to tell people that I am using video surveillance?
  4. 15.Are there any limitations on what I can use video surveillance for?
  5. 16.Can I share footage captured by my video surveillance with anyone outside my business?
  6. 17.Are there restrictions on how I can use personal data I have collected from CCTV?
  7. 18.Can I collect customer information when taking bookings or appointments?
  8. 19.What privacy information do I have to give customers about how I will use the personal data that I have collected when taking bookings or appointments?
  9. 20.Do my data protection obligations end when I have taken the booking or made the appointment?
  10. 21.Can I send e-receipts to customers?
  11. 22.What privacy information do I have to give customers when taking email addresses to send e-receipts?
  12. 23.Do my data protection obligations end once I have sent the e-receipt?
  13. 24.Can I collect customer information for the purpose of getting feedback on my goods or services?
  14. 25.What privacy information do I have to give to customers when collecting customer data in the context of service feedback?
  15. 26.Do my data protection obligations end once I have collected the customer's information?
  16. 27.Can I collect customer information to run in-store competitions or prize draws?
  17. 28.What privacy information do I have to give customers when collecting customer information in the context of in-store competitions?
  18. 29.Do my data protection obligations end once I have collected the customer's information?

Collecting data for NHS Test and Trace

  1. 30.Do I need to collect data from visitors and customers for NHS Test and Trace?
  2. 31.Can I refuse entry to my premises to individuals who do not provide me with their personal information for contact tracing?
  3. 32.How do I comply with the UK GDPR when collecting customers' details for NHS Test and Trace?
  4. 33.How long do I need to keep information collected for NHS Test and Trace?
  5. 34.Who can I share personal data with that I have collected for NHS Test and Trace?
  6. 35.Can I check my visitors' or customers' COVID status?

Using and storing sales data

  1. 36.Can I use the personal data I have collected from my customers during a sale for other purposes?
  2. 37.How can I decide whether the new purpose is compatible with the old purpose?
  3. 38.Can I use personal data I have collected from my customers during a sale for direct marketing purposes?
  4. 39.Can I share personal data I have collected from my customers during a sale?
  5. 40.Can I store personal data I have collected from my customers during a sale?
  6. 41.Can I use a customer's personal data as part of a loyalty scheme?
  7. 42.What privacy information do I have to provide customers who are taking part in my loyalty scheme?
  8. 43.Do I need customer consent to process their data as part of my loyalty scheme?
  9. 44.Do I need separate customer consent if I want to use their data for profiling?
  10. 45.Do I need to carry out a data protection impact assessment for data profiling?
  11. 46.Can I share customer data collected as part of a loyalty scheme?

Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data subject request policy

This Data subject request policy will allow you to set up a policy that staff can refer to when responding to a request from an individual about their personal data that your business holds (a data subject request). Under the UK GDPR, individuals can make requests about their personal data that you collect, including requests to correct or delete personal data, or a request for a copy of the data and details of how your business uses it (known as a subject access request). There are both practical and legal steps that you need to take in order to minimise any disruption and fulfil your obligations under the UK GDPR when responding to a data subject request. Having this Data subject request policy in place will assist your business in identifying and responding appropriately to a data subject request. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT
See all solutions