LOjalitātes programma

For decades, merchants have offered their customers loyalty or customer cards, giving them the opportunity to obtain additional discounts and to make savings. If at some point in order to obtain customer cards they had to provide their personal data infrequently, at the moment, in exchange for “advanced offers”, people often have to provide an address, telephone number, personal identification number, etc. Although it may seem that customer cards are only “heavy” in our wallets, it must be understood that each store or service provider has provided our data. 
Whether a merchant (data controller), when issuing a loyalty card and implementing a loyalty program, can request any personal data from its customers (data subjects) and how they should inform customers about the processing of these data, let’s tell in this explanation. 

The provisions of the Data Regulation apply to the trader’s Loyalty Programs in the framework of which data are processed. These are: 

  • defining a clear purpose of data processing; 
  • the application of an appropriate legal basis; 
  • proper information to customers about planned or existing data processing;  
  • Compliance with the conditions laid down in the principles of the Data Regulation.

In order to determine the purpose of data processing, the trader must answer one question – why is this processing necessary? This response is most often found in organisational processes related to commercial activities and in external regulatory frameworks. 

The application of the legal basis is closely linked to the determination of the purpose of the data processing. These are processes where accuracy plays an important role – the more clearly defined the purpose, the easier it will be for the controller to apply the legal basis. Data processing in loyalty programs is usually based on the customer’s consent, but there are other legal grounds in the Data Regulation that can be used, for example, when a contract is concluded to issue a card. 

Processing of data is based on consent

The basic principles of consent are: 

  • it shall be easy to provide and be equally easy to recall; 
  • is voluntary;  
  • its withdrawal will not have negative consequences for the customer and will not affect an existing contractual relationship.

The customer’s consent is absolutely necessary to enable the merchant to analyse the purchase history and create special offers for future purchases by automated means. Also, to receive commercial communications concerning other services and advertisements of the company. 

Example: In order to obtain a customer card of company “SHOP”, it is necessary to fill in a questionnaire in which a person can choose to receive notifications about placing new goods in the shop assortment or not, which is based on previously made purchases. Upon receipt of such a letter, the customer is given the opportunity to unsubscribe from such news.




Information references:


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data Protection Regulation) (hereinafter: data Regulation).


[2] Article 5 of the data Regulation.


[3] Article 6(1)(a) of the data Regulation


[4] Rules for the transmission of commercial communications are laid down in Sections 8 and 9 of the information society services Act.


[5] Article 6(1)(b) of the data Regulation


the data protection principles of the [6] should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or personal data provided anonymously in such a way that the data subject is not or is no longer identifiable. . Recital 26 of the data Regulation:


[7] Article 5(1)(c) of the data Regulation.


[8] Article 13 of the data Regulation