Solutions

Resources

Finnish
Finnish

Solutions

Resources

Finnish

Digital Receipts and GDPR Compliance: What Merchants Need to Know

10.1.2022

Tldr:

  • From the very beginning ReceiptHero has made sure the company has built a robust data governance model for all parties on the platform, especially merchants

  • ReceiptHero takes care of GDPR on behalf of merchants

  • Having had merchants on the platform and sending receipts to their customers for over 5 years, ReceiptHero has gained strong industry experience, produced easy to understand contract frameworks for merchants and partners that streamlines the whole contractual process.

ReceiptHero in brief

ReceiptHero is a digital receipt platform that partners with banks, merchants, POS/ECR system providers and payment service providers (PSPs) or card schemes (e.g. Visa, Mastercard) to provide digital receipts and related value-added services to consented cardholders. ReceiptHero can provide its services to cardholders who have registered themselves as users of ReceiptHero or to companies who have registered their corporate cards with ReceiptHero.

Update: Since this article was originally written back in 2022, ReceiptHero now provides merchants with other distribution channels outside of registered cardholders in integrated apps for customers to get their receipts, for example customers can get their receipts from scanning a QR code at the checkout, interacting with a payment terminal or retrieving a receipt from our Fetch Later service. These new channels allows for non registered customers to get their receipts, however the same data governance and care for personal data still applies.

How is the data used?

We could not build a transparent and scalable platform for digital receipts if we did not safeguard how data is used. It is a fundamental requirement for our merchants, customers, banks and other partners to all understand what can and cannot be done with the data that flows through our platform.

From a GDPR perspective understanding how ReceiptHero works is important, so in the following article we'll outline how our platform works and abides by data laws in Europe.

For our card-linked receipt solution: Once a payment card is registered with ReceiptHero, ReceiptHero starts receiving the transaction data of purchases made with the payment card from PSPs or card schemes. ReceiptHero uses this transaction data to compare it against the receipt data from merchants that have activated ReceiptHero's digital receipt service.

ReceiptHero under the hood

A birds eye view of how ReceiptHero's card-linked receipt solution works with different partners

If certain data points match, ReceiptHero knows that the receipt in question concerns a payment card registered with ReceiptHero, and ReceiptHero will therefore provide the cardholder a digital receipt of the purchase.

For our newer distribution channels (QR code, NFC, Fetch Later) ReceiptHero still receives the unmatched receipt data from the ECR however we do not match against the transaction data as the customer identifies themselves to that receipt in a different way.

A birds eye view of how all channels work and the UX flow for the end customer.

ReceiptHero takes the stress away when it comes to GDPR

In order to process personal data in a GDPR compliant manner, there must exist a legal ground for processing. According to ReceiptHero’s understanding, most merchants are already today processing purchase and receipt data for various purposes: bookkeeping, warranty, customer behaviour analyses, marketing, etc.

The various processing activities, however, must always be backed up by a legal ground. According to GDPR, there exists several possible legal grounds, such as a legal obligation, a contract, or a so-called legitimate interest. The processing activities need also be notified to customers, so that they are aware of the processing and their rights. For this purpose, many merchants have duly prepared privacy policies or statements where they carefully explain their personal data processing activities, including those concerning their customers’ purchase or receipt data.

Offering digital receipts is no different from the other processing activities of the merchants. However, like other processing activities, also the processing of personal data for digital receipt offering purposes needs to be communicated to merchant’s customers in an open and clear manner. And this is the very reason why this article has been prepared – to help you as the merchant to fulfil your GDPR obligations when offering your customers digital receipts with the help of ReceiptHero.

As a merchant what do I need to know and do?

As mentioned above, ReceiptHero receives its receipt data from the merchants that have decided to start offering digital receipts with the help of ReceiptHero. From the customer’s point of view, the merchants act as data controllers under the GDPR, since the customer’s purchase and receipt data is originally collected and created by the merchants when the customers are making their purchases.

However, also ReceiptHero acts as a data controller when the receipt concerns a payment card that has been registered with ReceiptHero. This is because ReceiptHero and its customers have in their agreement agreed that ReceiptHero may process the receipt data ReceiptHero receives from the merchants to provide its customers the agreed services. So, from a GDPR perspective, the collecting and processing of receipt data by the merchants, insofar as it concerns the customers of ReceiptHero, is based on a contract.

In addition to processing the receipt data of ReceiptHero’s customers, offering digital receipts with the help of ReceiptHero also entails some minor processing of those customers’ receipt data that are not customers of ReceiptHero. As mentioned above, these are the so-called unknown customers, because ReceiptHero is not able to identify those customers by comparing their receipt data to the transaction data ReceiptHero has received elsewhere. It is unclear to ReceiptHero if even you as the merchants are able to identify these unknown customers’, but since the definition of “personal data” under the GDPR is so wide, ReceiptHero has made a decision to assume this receipt data is or at least may contain personal data, and should be processed according to GDPR.

Keeping on the topic of the unknown customers’s receipt data, ReceiptHero acts as the processor (or sub-processor of the merchant’s POS provider, as the case may be) and process their receipt data only to check if it contains receipt data of purchases made with payment cards that are registered with ReceiptHero. For merchants wanting to leverage our Fetch Later service, receipt stores receipts upon an agreed time horizon with the merchant so that their customers can possibly retrieve these at a later date.

According to ReceiptHero’s understanding, the processing of unknown customers’ receipt data for the above purposes takes place under the merchant’s legitimate interest, but the merchant as the data controller will need to assess and define the legal ground ultimately, and take care of the GDPR obligations also when processing unknown customers’ receipt data.

However, as we want to take care of our merchants, we have below drafted a brief checklist that you as the merchant need to do from a GDPR perspective when offering digital receipts through ReceiptHero:

  • Update your privacy policies to explain processing of personal data for digital receipt purposes. We can help you in this regard by providing you some example language which you can modify and insert into your current privacy policies or statements.

  • Insert a sticker at your payment terminals prompting your customers to find out further information about your processing activities for digital receipt purposes. Our marketing team can help you with these stickers.

  • Train your personnel the basics of ReceiptHero, so that they are ready to answer any questions your customers might have. At the very least, they should be able to tell that further information can be found at ReceiptHero’s website and at the merchant’s own privacy policies.

  • Assuming you agree with our analysis that the legal ground to process your unknown customer’ receipt data is your legitimate interest, then conduct a so-called balancing test meant in the GDPR to make sure you have thought this through as required by the law. We can help you to conduct the balancing test, if needed.

If you still have questions after reading this article, drop us an email and we'd be happy to explain more about how ReceiptHero works.

This article was produced in co-operation with Bird & Bird who have been advising ReceiptHero on legal matters.