GDPR for corporate merch programs

Что требуется

• Lawful basis for processing recipient data (consent, legitimate interest, contract)
• Data Processing Agreement (DPA) with every supplier handling recipient lists
• Data minimisation: collect only the fields needed for fulfilment (name, address, size)
• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Right to erasure: process to delete recipient data 30 days after delivery
• 72-hour breach notification to your supervisory authority
• Records of Processing Activities (Article 30) covering each merch campaign
• Sub-processor disclosure and prior authorisation

Как это влияет на мерч-программы

• Welcome-kit programs that ingest HRIS data must run on documented lawful basis
• Event-merch sign-up forms need granular consent (separate from marketing opt-in)
• Direct-to-recipient shipping requires DPA + sub-processor list (couriers count)
• Photographs of branded merch with identifiable recipients = personal data
• Cross-border transfers (e.g., EU recipient list to UAE supplier) need SCCs or adequacy

Документальный пакет — what suppliers must provide

1. Signed DPA (Article 28) including sub-processor schedule
2. Standard Contractual Clauses (SCCs) for non-adequate-country transfers
3. Transfer Impact Assessment (TIA) post-Schrems II
4. ISO 27001 or SOC 2 Type II report from supplier
5. Pen-test summary or vulnerability scan from past 12 months
6. Incident-response plan with RTO/RPO commitments
7. Sub-processor authorisation list, signed and dated
8. Records-of-Processing extract for the merch category

Дерево решений — when does this framework apply?

• Are any recipients in the EU/EEA? Yes -> GDPR applies
• Are you the controller, processor, or joint controller? Drives obligations
• Is data leaving the EU? Adequacy + SCC + TIA needed
• Is the data special-category (health, religion)? Explicit consent required

Штрафы за нарушения

• Up to EUR 20 million or 4% of worldwide annual turnover (whichever higher)
• Per-incident fines from supervisory authorities (DPA, CNIL, ICO, etc.)
• Civil compensation claims from affected data subjects
• Reputational impact from public breach notification register

Чем мы помогаем

• Pre-signed DPA (Article 28) with our standard sub-processor list
• EU-resident data centre option for recipient-list storage
• Encrypted upload portal (TLS 1.3) for HRIS exports
• 30-day automatic deletion policy with audit log
• Annual Transfer Impact Assessment refresh
• Sub-processor change notice 30 days in advance

Связанные рамки

• Ccpa Cpra Merch
• Iso 9001 14001 27001
• Modern Slavery Acts

Связанные ресурсы

• Glossary of compliance terms
• Material catalogue
• Sustainability report 2026
• Data Processing Addendum
• Whitepapers and reports

Часто задаваемые вопросы

Does GDPR apply to free merch?

Yes: even when no money changes hands, processing a recipients name and address for shipping is personal-data processing under GDPR Article 4.

What lawful basis fits employee welcome kits?

Most often performance of contract (employment) or legitimate interest, documented in the Records of Processing Activities.

Do we need a DPA with the courier?

Yes: couriers act as processors when they receive a recipient list, even for last-mile delivery.

How long can we store recipient lists?

Only as long as necessary; our default is 30 days post delivery, then automatic deletion with audit log.

What happens if a recipient asks for erasure?

We delete from active systems within 30 days and confirm to you; backups expire under documented retention schedule.