News & Views

Data Protection in Retail - Key Things to Think About to Remain Compliant

20 February 2020

In addition to the maintenance of a mere customer register and processing of payment details, the retail industry has also adopted many other ways to process personal data, most importantly, to generate additional value from it.

Customer loyalty programmes are an effective way to connect with and engage customers, and to receive information about their desires and needs by simultaneously obtaining loads of behavioural data. Such personal data is of utmost importance when creating personalised experiences and marketing. Personalising customer experiences is a key in today’s economy, involving customer encounters both in digital and tangible world. As customers increasingly value communication and service that is tailored to their interests and needs, analysing and profiling have gained importance. A rapid increase in the number of available mediums has not only brought about new possibilities, but also imposed new challenges. Modern marketing makes use of digital tools that manage processes, workflows, content, and customer analytics. Adtech enables programmatic buying and selling of advertisements to make them more effective towards unknown prospects based on certain targeting parameters (location, browser history, behaviour, etc.).

 Regardless of the planned processing, the basic rules are pretty much the same. The key piece of legislation in the EU in this regard is the General Data Protection Regulation (EU) 2016/679 (the “GDPR”). Having high standards of privacy and data protection within an organisation is not only important for compliance purposes, but also because they deliver a valuable competitive advantage. High privacy standards have been found to increase customer trust, enhance an organisation’s brand image, and give the organisation readiness to better engage with customers.

Here are some key things to consider in planning and performing personal data processing in a compliant way:

Planning Ahead

One should plan the processing prior to the collection of the personal data, i.e. decide in advance why personal data is collected and what the data will be used for, as data may only be collected for a specified and explicit purpose. Once collected, the data can only be used for the initially specified or compatible purpose and for the time necessary.

While evolving technologies and innovative business ideas often allow new ways in which to utilise previously collected personal data, as a rule, the purposes for which the data has initially been gathered cannot be freely extended.

Minding Other Involved Stakeholders

Efficient data processing is usually based on digital tools and services (which often are provided by third parties specialising in such solutions), marketing efforts may utilise data obtained from external databases, and advertising may be based on collaborations. Where processing involves more parties than one, it is important to analyse the roles of the parties concerned, as the identified roles determine the rights and obligations of the parties.

For instance, where a marketing agency sends invites to a retailer’s contacts for a marketing event, the marketing agency acts as a processor for and on behalf of the retailer acting as a controller. The marketing agency does not gain rights to the contacts and may not use them for its own purposes. In addition, the parties are required to conduct a data processing agreement providing for minimum content laid down in the GDPR.

“Personalising customer experiences is a key in today’s economy, involving customer encounters both in digital and tangible world.”

Where two or more controllers process personal data for the same purposes, they are considered joint controllers, who also must agree on certain issues with regard to their mutual relationship under the GDPR. Joint controllership also affects, for instance, the lawful basis of the processing, the duty to inform, and the facilitation of the data subject’s rights. This should be borne in mind especially when operating online. The Court of Justice of the European Union (the “CJEU”) considered in its recent judgment in the Fashion ID case (C-40/17) that an online clothing retailer was a joint controller together with Facebook with regard to the collection of personal data through Facebook “Like” button embedded to the retailer’s website. This is because by embedding the Facebook “Like” button on its website, the retailer had made it possible also for Facebook to obtain the personal data of the visitors on its website.

Staying Focused

In addition to planning the data processing in advance, it is also important to regularly review the collected data. The personal data that is processed must be adequate, relevant, and limited to what is necessary for the purpose(s) for which they are processed. When the data is no longer necessary for those purposes, it should no longer be kept in a form permitting identification.

Hence, even though rich data is important in achieving effective results, the data should also be genuinely relevant. Not all customer data about will be of assistance in marketing efforts, and outdated data will certainly not make business flourish. Non-relevant data should not be collected “just in case”, and once the personal data is no longer relevant, it should be anonymised or deleted.

Shifting to Digital

Trade and marketing are increasingly shifting to a digital environment, where valuable customer data is often gained through cookies. The CJEU recently reviewed the rules on cookie collection practices in the Planet49 case (C-673/17). One of the main questions faced by the CJEU was that what is required of a website operator in order to obtain a legally valid consent from its users to the store cookies on their computers. Only consent that is the result of an active behaviour and that has been “freely given, specific, informed and unambiguous” will unquestionably constitute such a valid consent.

The CJEU found that if a pre-ticked box is used to obtain consent, it would appear impossible in practice to ascertain whether a website user actually gave their consent since they have not “actively” confirmed this. For this reason, the CJEU held that a consent given by a pre-ticked box would not constitute a valid consent.

Gaining Trust Through Transparency

The terms for the data processing must be specific and clearly communicated to the customer through, for instance, privacy policies. Companies must provide sufficient transparency by disclosing all relevant information to the customers, thereby giving them control of their data. When making use of AI solutions, one should bear in mind that automated processing may not happen in a black-box, as the data subjects must be informed of automated decision-making (including profiling) and provided with meaningful information about the logic involved. Transparency plays a crucial part in gaining customer trust.

Particular care should be involved if the automated processing, for instance, by an adtech tool, involves elements such as discounts based on certain personal factors or targeting of vulnerable groups (e.g. children). Nobody wants to feature a news piece on illegal processing of personal data. Furthermore, even “legal” processing may sometimes be considered unethical or suspiciously intrusive by the public.


  • Plan the processing from the moment the data is obtained until its deletion. Remember that it is always cheaper to analyse and plan than to try to fix things afterwards!
  • Be transparent and fair, this is the best way to avoid complaints from the data subjects to you and the supervisory authority.
  • Document the processing and spread information within the organisation, make everyone involved and liable for their own part.
  • Review the stored data and implemented ways of working from time to time.
  • Analyse your role in the processing and consider the impacts of involving third parties. Be active in contracting; ensure that the mandatory contracts are entered into and that you understand the rights and obligations imposed by the contracts. In case processors are frequently used, preparing an own data processing template is always a good investment, as it may be also used as a tool to evaluate the terms provided by the other party.


  • Don’t gather and store information for unknown purposes or “just in case”.
  • Ignorance is not bliss. Don’t postpone the handling of the data protection issues to a better moment, usually such time never comes.
  • Don’t consider data protection as a one-time exercise; compliance requires daily measures.
  • Don’t forget to review the compliance capability of your systems, e.g. duties to comply with a data subject request cannot be neglected by reason of failing to take appropriate technical measures.


More articles from the first edition of Hannes Snellman Fashion Law Review are available here.