The Irish Data Protection Commissioner (DPC) has launched an investigation following a number of customer complaints about retail outlets asking for customer email addresses in order to send e-receipts after a purchase.
The DPC is auditing companies that issue receipts in this way to ensure they are using the customer data correctly.
Although there is nothing to say companies can’t issue e-receipts, the DPC is concerned that the data captured is being used for the purpose of sending marketing emails without the customer’s consent, which may potentially breach marketing rules.
It is understood that the DPC has evidence “to show that some data controllers are using email addresses captured for the purpose of issuing e-receipts and subsequently using this information to issue marketing material”.
The DPC has contacted a number of organisations about the practice, prompting the audit team to “conduct a number of on-site inspections which involved a specific focus on the issuing of e-receipts”.
Last week it was announced in Ireland’s budget that the DPC would receive an extra €4 million in 2018 to recruit up to 40 new employees.
The DPC’s total funding will go up by 55% from this year’s budget to represent the Irish government’s commitment to data protection in light of the EU General Data Protection Regulation (GDPR).
With the DPC expected to employ about 90 people by the end of 2017, including a number of specialist hires, it seems the organisation is preparing for battle ahead of the EU GDPR coming into force on 25 May 2018.
Documenting your compliance with the EU GDPR may be one of the most manually intensive parts of meeting the Regulation’s requirements. Get help producing GDPR-compliant documentation with our documentation toolkit.
This comprehensive, market-leading toolkit is used by hundreds of organisations worldwide and contains all the critical documents you will need to comply with the GDPR, including:
- A procedure for conducting a privacy audit;
- Templates for creating clear and accurate privacy notices;
- A data breach notification process and procedures;
- Subject access request templates and procedures;
- An international data transfer procedure;
- Consent form templates;
- Data protection impact assessment templates and procedures; and
- Important information on security policies and procedures to keep your information secure.