Loyalty Programs and GDPR in Ireland: What You Must Get Right Before You Launch

When the Data Protection Commission closed 146 electronic direct-marketing investigations in 2024 and prosecuted eight companies for unsolicited communications, loyalty operators could be forgiven for assuming that enforcement was someone else's problem. It rarely is.

A loyalty program is a data collection engine. From the moment a member registers to the day they ask you to delete their account, you are collecting, storing, processing, and in many cases sharing personal data. The GDPR obligations at each of those stages are specific, and the DPC's active enforcement posture means that getting them wrong carries real consequences.

This guide covers everything an Irish marketing manager or DPO needs to know about GDPR compliance for loyalty programs: the lawful basis for each data point you collect, how to build a compliant sign-up flow, how long you can keep member data, how to handle rights requests, and where the DPC is actively looking. It is not legal advice. For specific situations, consult a qualified data protection professional.

What personal data loyalty programs collect (and why every data point needs a lawful basis)

A typical loyalty program registration form collects a lot: name, email address, phone number, date of birth, and postal address. Once the member is active, you add transaction history, purchase frequency, product preferences, and behavioral data from how they engage with your app or emails. Every single data point needs a documented lawful basis under GDPR Article 6.

The correct basis for core membership data is contractual necessity (Article 6(1)(b)). When a member signs up, they enter into a contract. Processing the data necessary to deliver that membership, including their contact details, transaction records, and points balance, is justified under the terms of that contract.

The mistake most brands make is stretching contractual necessity too far. Collecting a date of birth to verify age at a licensed venue is arguably necessary. Collecting it to send a birthday discount email is a marketing activity, and it requires a different lawful basis. The practical test for every data point is: would the program fail to function without this? If the honest answer is no, you need a separate justification.

The six lawful bases under GDPR Article 6 are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For loyalty programs, the relevant bases are contract (for core membership operations), consent (for marketing and non-essential processing), and legal obligation (for records you must retain under Irish law, such as financial records). Legitimate interests can apply in some situations, but not for direct marketing communications, which we cover in the next section.

Consent vs. legitimate interest: what applies to loyalty communications

Ireland's ePrivacy Regulations (SI 336/2011) sit alongside GDPR and govern electronic direct marketing independently. Under Regulation 13 of those Regulations, sending promotional electronic messages requires the affirmative consent of the recipient. According to the Data Protection Commission's guidance on electronic direct marketing, consent must be given in advance, freely given, specific, and informed. Pre-ticked boxes, silence, and inactivity do not constitute valid consent under those rules.

There is one limited exemption worth understanding. Where an email address was collected during a product or service sale, a company may contact that customer about similar products or services for up to 12 months, without fresh consent, provided the customer was given a clear opportunity to opt out at the point of collection. This exemption is narrow, and loyalty operators who rely on it without checking whether their communications genuinely meet the "similar products" test are taking a compliance risk.

Legitimate interest (Article 6(1)(f) GDPR) cannot substitute for consent where the ePrivacy Regulations require it. The EDPB's 2024 guidelines on legitimate interest, published at edpb.europa.eu, confirm this position: where electronic marketing consent is required under national ePrivacy law, legitimate interest cannot be used to bypass that requirement.

The practical implication: transactional loyalty messages (points credited, reward expiry alerts, account statements) are justified under the membership contract. Promotional messages require explicit opt-in consent. Your marketing consent architecture must reflect that distinction, and your email platform must be configured to enforce it.

How to structure a compliant sign-up flow

The sign-up flow is where most loyalty programs either get GDPR right or build in problems they will be correcting for years. GDPR Article 13 requires that at the point of data collection you disclose your identity as data controller, the purposes and lawful basis for each processing activity, who else will receive the data, retention periods, and that the member has the right to lodge a complaint with the DPC.

Marketing consent must be collected separately from acceptance of membership terms and conditions. A single checkbox that covers both is not valid because consent must be specific. If you want consent for email marketing and also for SMS marketing, those must be two distinct, unticked opt-in boxes.

Three things to build into the flow: a clearly worded statement that core membership data will be processed to administer the program under the contract; separate unticked opt-in boxes for each marketing channel; and a link to a full privacy notice that names every third party (including technology providers and reward partners) who will process member data.

One detail that catches brands out: you must retain a record of consent, including when it was given, through which mechanism, and what the member was shown at the time. If a member disputes whether they opted in to marketing emails, you need to be able to demonstrate what they agreed to and when. No record means no defense.

Data retention: how long you can keep loyalty member data

GDPR's storage limitation principle (Article 5(1)(e)) requires personal data to be kept for no longer than necessary for the purposes for which it was collected. The DPC expects documented retention schedules that specify the period, the trigger for deletion, and the basis for each retention decision. Vague timelines such as "as long as required" do not meet the standard.

For loyalty programs, three situations apply. Active members: data can be retained for the duration of active membership because the contract justifies it. Inactive members: once a member stops engaging, the basis for retaining them in an active marketing audience weakens. The widely observed practice is to trigger a re-consent process or deletion after 12 to 24 months of inactivity. Post-closure: when a member closes their account, core membership data should be deleted. Transaction records may be retained where a specific legal obligation exists (such as Revenue requirements), but that justification must be documented and the retention limited to the minimum necessary period.

A point that creates risk for many operators: if consent is the only lawful basis for processing a member's data and they withdraw that consent, you must stop processing and delete the data, unless a separate, independent lawful basis justifies continued retention.

Member rights: access requests, erasure, and data portability

Every loyalty program operator needs working processes for three data subject rights, which are the most commonly exercised by members in practice.

Under GDPR Article 15, any member can submit a subject access request and receive a copy of all personal data you hold about them, the purposes for which it is processed, the categories of recipients, and expected retention periods. You must respond within one calendar month. You may not charge a fee in most circumstances.

Under Article 17, members can request erasure of their data. You must comply where the data is no longer necessary for its original purpose, where consent has been withdrawn and no other basis applies, or where the processing was unlawful. You may decline an erasure request where you have a legal obligation that requires retention of the data, but you must communicate that reason clearly.

Under Article 20, members whose data is processed on the basis of consent or contract can ask to receive their personal data in a structured, machine-readable format (for example, a CSV export of transaction history and points balance). This applies to data they have actively provided.

The operational gap we most often see: brands can process an access request in their CRM but leave member data sitting in an email platform, a third-party reward portal, or a data analytics tool. A rights request is only complete when the data has been addressed across every system where it exists.

DPC enforcement: what it means for loyalty operators in Ireland

The DPC is the EU's most active GDPR enforcer by total fine value. In 2024, it imposed administrative fines of more than €652 million across 11 finalised inquiry decisions. It received 11,091 new cases from individuals during the year, closed 146 electronic direct-marketing investigations, and prosecuted eight companies for unsolicited communications. Data breach notifications rose 11% to 7,781 compared to the previous year. Since GDPR came into force in 2018, the DPC has issued more than €3.5 billion in total fines, more than four times the value issued by the second-ranking EU supervisory authority. [Source: DPC 2024 Annual Report, dataprotection.ie]

The largest 2024 fines, €310 million against LinkedIn and €251 million against Meta, both related to how personal data was used for behavioural profiling and targeted advertising without a valid legal basis. If you are using member purchase history to build marketing profiles and relying on legitimate interest as your lawful basis, you are in territory the DPC has already acted on.

The 146 direct-marketing investigations the DPC concluded in 2024 were not limited to multinationals. The DPC investigates complaints at all scales. If your loyalty program is sending promotional emails to members who did not opt in, or to inactive members whose consent has lapsed, you have measurable exposure.

Third-party data sharing with reward partners

Most loyalty programs involve third-party reward partners: voucher providers, gift card suppliers, cashback processors, or co-brand partners. Every data sharing arrangement requires proper governance before you transfer a single member record.

The first question is whether the third party is a data processor or a data controller. A processor handles member data on your behalf, under your instructions (for example, a technology platform running your loyalty app). A controller processes data for their own purposes (for example, a retail partner who wants to market to your members). The distinction determines which contractual obligations apply.

Where the third party is a processor, GDPR Article 28 requires a written data processing agreement. That agreement must cover the subject matter, duration, nature and purpose of the processing, the type of personal data, and the obligations of the processor. This is not optional or aspirational. It is a legal requirement that the DPC can and does examine.

Where the third party is a joint controller, you need a joint controller agreement under Article 26, and your privacy notice must explain clearly what data goes to that partner and for what purpose. Under Article 13(1)(e), members are entitled to know specifically who receives their data. References in privacy notices to "trusted partners" or "selected third parties" are not sufficient under GDPR's transparency requirements. Name the specific entities, or at minimum, specific categories of recipients.

GDPR audit checklist for loyalty program operators

Before launch, or when reviewing an existing program, work through these areas systematically. At Brandfire, we use a version of this checklist when we audit a client's loyalty program ahead of a new season or a platform migration.

Data inventory. Have you mapped every data point you collect? Does each one have a documented lawful basis? Is that basis accurate, not assumed?

Consent architecture. Does your registration flow use separate, unticked opt-in boxes for each marketing channel? Do you store a record of each consent with a timestamp and the version of the form shown?

Privacy notice. Does your notice meet the Article 13 disclosure requirements? Does it name all processors and third-party controllers specifically?

Retention schedule. Is there a documented schedule covering periods, triggers, and bases for each data category? Is there a process for re-consent or deletion of inactive member records?

Rights processes. Do you have a process for subject access requests, erasure requests, and portability requests? Is there a named owner? Have you tested deletion workflows across all connected systems?

Data processing agreements. Do you have signed DPAs with every technology provider and reward partner who processes member data?

Marketing segmentation. Are promotional and transactional email audiences segmented in your platform? Are members who have not consented to marketing excluded from all promotional sends?

Build compliance in from the start, not from a complaint

Getting GDPR right in a loyalty program is significantly easier when data compliance is designed into the architecture at the brief stage rather than retrofitted after a complaint arrives. The DPC's enforcement environment makes this a business risk question, not just a legal checkbox exercise.

We work with brands across energy, insurance, grocery, and telecoms to design and operate loyalty programs that meet Irish and EU data protection requirements from day one. If you are planning a new program or auditing an existing one, the Brandfire loyalty team can help you identify where the risks sit and how to address them before you go live. Contact us to start the conversation.

---

Frequently asked questions

Does a loyalty sign-up form in Ireland need a separate marketing consent checkbox?

Yes. Under Ireland's ePrivacy Regulations and GDPR, marketing consent must be collected via a separate, unticked opt-in that is distinct from acceptance of membership terms. A combined checkbox is not valid consent because consent must be specific. Separate boxes for email, SMS, and phone marketing are required if you intend to use all three channels.

Can we rely on legitimate interest to send promotional emails to loyalty members?

No. Ireland's ePrivacy Regulations (SI 336/2011) require affirmative consent for electronic direct marketing. Legitimate interest as a lawful basis cannot override that requirement. The EDPB's 2024 guidance on legitimate interest confirms this position at the EU level.

How long can we keep a loyalty member's data after they close their account?

Core membership data should be deleted on account closure. Transaction records may be retained where there is a specific legal obligation (such as accounting records under Irish company law), but only for the period required by that obligation and documented in your retention schedule. Open-ended retention of post-closure data is not compliant.

What must a privacy notice say about third-party reward partners?

Under GDPR Article 13(1)(e), you must disclose specific recipients of member data. Generic references to "partners" or "selected third parties" are not sufficient. If a reward partner will process member data for their own purposes, that arrangement must be disclosed as a joint controller relationship and governed by a written agreement under GDPR Article 26.

What is the difference between a transactional loyalty communication and direct marketing under Irish law?

Transactional loyalty communications (points credited, reward expiry alerts, account statements) are justified under the membership contract and do not require marketing consent. Direct marketing is any communication designed to promote goods, services, or campaigns, and it requires opt-in consent under Ireland's ePrivacy Regulations, regardless of how the message is framed. A "programme update" email that promotes a new partner deal is direct marketing.