Forms for soliciting members' details should be GDPR-compliant.

GDPR-Compliant Membership Application Forms for Retail Brick-and-Mortar Businesses

Do you run a membership or loyalty programme in store?


If you do, you are probably soliciting your customers’ personal data through paper or electronic means; and if so, have you checked to ensure your forms are in adherence to the General Data Protection Regulation (GDPR)?


To help you get started on being GDPR compliant, let’s run through a few crucial tenets of GDPR and how these would affect the way your customers’ information are obtained, managed and stored.


1. Consent & Choice to Opt In


When getting your customers to fill up a membership application form, or any other form that asks for details that can identify a person, it is important to seek specific and explicit agreement for the collection and use of their personal particulars. This should be outlined in a clause that explains terms of your service, as well as your company’s privacy policy.


If you intend to offer marketing communications in forms of emails or text messages, a separate opt-in clause would be required. As the purpose of data usage is different from what is needed for your company to provide the service, you must independently obtain your customers’ consent for marketing. As marketing communications cannot be considered a prerequisite for sign-up, please ensure that your customers have the option to freely opt in for this service.

You may read more on the requirements for Consent over at


Be transparent about your company's privacy policy and ensure consent is sought for use of your customers' personal data by including an opt-in clause in your membership forms.



2. Lawful & Transparent


Closely tied to the first concept of “consent” is the notion of collecting data in a lawful and transparent manner. If you have been granted consent to your customer’s personal particulars for the sole purpose of executing a service, it should be carried out as agreed. For any other purposes beyond the scope of the initial agreement, consent would have to be sought again.


Be clear and seek permission from your members before processing their personal data.


Updates made to your service’s terms of use or privacy policy should not go unnoticed. Inform your customers in clear and unambiguous notifications about how their information will be used or shared.



3. Ask Only for What You Absolutely Need


Data minimisation is another principle highlighted in Article 5 of GDPR. Businesses should only be asking for information that are relevant and required for specific purposes. This is a best practice set in place to minimise the risk of security breaches.


Often, retail membership and loyalty programmes require customers to provide personal information about themselves. Businesses are encouraged to carefully evaluate the types of information needed for administering rewards or discounts.


Covered in Article 9 of GDPR, data concerning special categories such as racial, ethnic, religious, political beliefs and others are prohibited with a handful of exceptions. Though these are rare fields in marketing or membership application forms, you are advised to familiarise yourself with these concepts, nevertheless.



4. Understanding Your Customers’ Rights


"With great access to personal data comes great responsibility."


All does not end with consent. Continued due diligence is needed to maintain these privileged sets of information. As part of the regulation, customers should continue to be able to exercise rights over their own data, which includes elements of rectification, erasure, data exportation and more.





For retail brick-and-mortar businesses, the GDPR is enforceable if your business is operating within European Union (EU) member states.


For retail stores operating outside the EU, you are not spared. As long as your business deals with collection, use, monitoring or storage of personal data of individuals in EU countries, you are expected to comply with the GDPR as well.


We have briefly summarised 4 key principles of the GDPR. As the nature and scope of each retail business is different, you should continue to read up on GDPR further or seek legal advice from your lawyer to ensure full compliance.


Disclaimer: This post does not constitute as legal advice.

No Comments

Leave a Comment