It’s quite common for businesses to run prize competitions and if you decide to run one, for individuals such as your customers, you must comply with the GDPR. Here are our GDPR compliance tips when running a prize competition.
You are required to provide certain information from the outset to individuals who participate in the competition as you would be required to provide to customers who you supply goods and services to, such as how you will collect, use and process their personal information.
You may already have policies and procedures in place for customers that you supply goods and services to, but do they extend to the right to process their personal information for the purposes of running a competition? For example, does your privacy policy refer to the lawful grounds for processing personal information for running a competition? If it doesn’t, you should consider drafting a new one to deal specifically with running a competition and it must be brought to the attention of the individuals participating in the competition so that they can make an informed decision.
There are six lawful grounds for processing personal information and the ones that could be used for running a prize competition are
- Contract – there will be a contract between the organiser of the competition and the individuals who participate in the competition. The organiser will need to process personal information to manage the competition. If the competition is open to children and they do not have the competence to enter the competition you should consider a different lawful ground
- Consent – if you secure an individual’s consent, then this is a lawful ground for processing data for a specific purpose to process their personal information for participating in the competition. Note though, consent must be freely given – a pre-ticked opt-in box or wording in the terms and conditions by the organiser that set out the rules to the competition are not adequate. You will also need to inform individuals of their right to withdraw consent. The consent ground should also be considered where consent is required from a parent of a child participating in the competition. However, legitimate interests could also be used as a ground for processing personal information of a child (see below).
- Legitimate interests – the processing is necessary for the organiser’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal information which overrides the organiser’s legitimate interests. Legitimate interests is the most flexible lawful ground for processing an individual’s personal information but it should not be used until the organiser has identified a legitimate interest, can demonstrate that the processing is necessary to achieve it and balances legitimate interest against an individual’s interests, rights and freedoms. There will also be additional requirements placed on the organiser such as putting in place safeguards where the legitimate interests ground is to be used to process personal information of a child.
The GDPR imposes additional requirements if you decide to transfer an individual’s information to a country outside of the EEA and if you share the information with a third party. You also need to consider how you will secure the individual’s personal information, encryption and when it should be deleted. The terms and conditions that set out the rules of the competition should also refer to GDPR.
In terms of the law and guidance on running a competition which is outside the scope of this particular post, you should consider the Gambling Act 2005 and the Advertising Standards Authority’s website.
Important Notice: This page is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action. Please email us ([email protected]) if you have any questions.
