GDPR for corporate merch programs

Ինչ է պահանջվում

• Lawful basis for processing recipient data (consent, legitimate interest, contract)
• Data Processing Agreement (DPA) with every supplier handling recipient lists
• Data minimisation: collect only the fields needed for fulfilment (name, address, size)
• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Right to erasure: process to delete recipient data 30 days after delivery
• 72-hour breach notification to your supervisory authority
• Records of Processing Activities (Article 30) covering each merch campaign
• Sub-processor disclosure and prior authorisation

Ինչպես է ազդում մերչ-ծրագրերի վրա

• Welcome-kit programs that ingest HRIS data must run on documented lawful basis
• Event-merch sign-up forms need granular consent (separate from marketing opt-in)
• Direct-to-recipient shipping requires DPA + sub-processor list (couriers count)
• Photographs of branded merch with identifiable recipients = personal data
• Cross-border transfers (e.g., EU recipient list to UAE supplier) need SCCs or adequacy

Փաստաթղթերի փաթեթ — what suppliers must provide

1. Signed DPA (Article 28) including sub-processor schedule
2. Standard Contractual Clauses (SCCs) for non-adequate-country transfers
3. Transfer Impact Assessment (TIA) post-Schrems II
4. ISO 27001 or SOC 2 Type II report from supplier
5. Pen-test summary or vulnerability scan from past 12 months
6. Incident-response plan with RTO/RPO commitments
7. Sub-processor authorisation list, signed and dated
8. Records-of-Processing extract for the merch category

Որոշումների ծառ — when does this framework apply?

• Are any recipients in the EU/EEA? Yes -> GDPR applies
• Are you the controller, processor, or joint controller? Drives obligations
• Is data leaving the EU? Adequacy + SCC + TIA needed
• Is the data special-category (health, religion)? Explicit consent required

Տուգանքներ չհամապատասխանելու համար

• Up to EUR 20 million or 4% of worldwide annual turnover (whichever higher)
• Per-incident fines from supervisory authorities (DPA, CNIL, ICO, etc.)
• Civil compensation claims from affected data subjects
• Reputational impact from public breach notification register

Ինչպես ենք օգնում

• Pre-signed DPA (Article 28) with our standard sub-processor list
• EU-resident data centre option for recipient-list storage
• Encrypted upload portal (TLS 1.3) for HRIS exports
• 30-day automatic deletion policy with audit log
• Annual Transfer Impact Assessment refresh
• Sub-processor change notice 30 days in advance

Առնչվող շրջանակներ

• Ccpa Cpra Merch
• Iso 9001 14001 27001
• Modern Slavery Acts

Առնչվող ռեսուրսներ

• Glossary of compliance terms
• Material catalogue
• Sustainability report 2026
• Data Processing Addendum
• Whitepapers and reports

Հաճախ տրվող հարցեր

Does GDPR apply to free merch?

Yes: even when no money changes hands, processing a recipients name and address for shipping is personal-data processing under GDPR Article 4.

What lawful basis fits employee welcome kits?

Most often performance of contract (employment) or legitimate interest, documented in the Records of Processing Activities.

Do we need a DPA with the courier?

Yes: couriers act as processors when they receive a recipient list, even for last-mile delivery.

How long can we store recipient lists?

Only as long as necessary; our default is 30 days post delivery, then automatic deletion with audit log.

What happens if a recipient asks for erasure?

We delete from active systems within 30 days and confirm to you; backups expire under documented retention schedule.