Digitisation of retail: Is the GDPR a brake on innovation?

Technological change is increasingly gaining momentum and is having a huge impact not only on online retail but also, and above all, on brick-and-mortar retail. Retailers are also relying on greater digitisation of their offers in order to be able to successfully appeal to customers directly at the point of sale with the aid of the use of personal data. Geofencing and omnichannel marketing are considered to be important aids. Customer loyalty programmes are currently also experiencing a boom. The use of physical customer cards and apps is giving brick-and-mortar retail the opportunity to comprehensively evaluate customer data and to adapt their offers.

However, the GDPR has been in force since May 2018, something which many people see as a brake on innovation or even an innovation killer. This is why the EU is now also considered the most powerful regulator in the US tech industry. And, in fact, many companies are overwhelmed with the implementation of the GDPR, as there are many outstanding issues yet to be resolved. This legal uncertainty, combined with the high threat of fines, prevents many companies from using new technologies.

But what about the horror scenarios being spread by opponents to data protection? Doesn’t the GDPR perhaps also offer opportunities? On the contrary, could it even drive innovation? In particular, how can retailers continue to use and improve data-driven customer communication without being paralysed by a fear of fines? The following article focuses on geofencing and omnichannel marketing.

The digital transformation of retail

What was once the Industrial Revolution, is now digitisation. In particular, the digitisation of retail is progressing rapidly. In addition to the retailers, customers are also among the winners. Seamless shopping, a seamless shopping experience across all channels, has now become a matter of course for them. Retailers must meet this challenge with appropriate omnichannel solutions, i.e. a cross-channel business model – one of the most important trends in the retail sector. As a result, this means an interlocking of purchasing processes: Buy online, collect offline. Order on site and then have it delivered.

Retailers may use this interlocking to optimise their offers by extending their marketing strategy across all channels and addressing customers wherever they happen to be. In order for this to be possible, all customer activities must be recorded and analysed – big data is the result. In this context, retailers must be aware, above all, of their data protection obligations under Articles 13 and 14 of the GDPR and to inform that customers in the most precise, transparent, comprehensible and easily accessible form in a clear and simple language of the relevant processing procedures. It should also be verified whether a data protection impact assessment as per Article 35 of the GDPR is required.

Many retailers also accept a variety of mobile payment options (“mobile payment”) from which the buyer may choose. The issue of data security plays a major role here, as bank and credit card information is sensitive and therefore data worthy of particular protection.

In-house shopping apps and electronic shelf labels (ESL) have now become standard. In addition to the current price, the latter also offer important additional information which may make the purchase decision easier. By networking the tills, retailers are also able to measure their flow of goods in real time, adjusting their orders accordingly.

Another impressive example of the digitisation of retail is smart mirrors. The US perfume and cosmetics giant Coty has recently launched a Magic Mirror which enables customers to try out new hair colours. This is made possible due to revolutionary technology known as augmented reality. This technology had recently caused a stir from a data protection viewpoint when Google Glasses was to be introduced. The main problem: Third parties would also be affected by the data collection.

Individual customer contact via geofencing and legal considerations

Personalisation in retail is also becoming more and more relevant. Many customers like it when they are approached personally online. Tailored product recommendations and other personalised content are also welcome due to their usefulness. This is all possible due to the collection and evaluation of data relating to the customer.

Tools are also used on site, at the point of sale or point of interest, with which customers can be individually approached. For example, so-called “beacons” (small Bluetooth transmitters and receivers) enable the customer to be located in the store in order to send relevant offers directly to their device. Today, however, localisation or tracking via WiFi serial number is more promising, as WiFi is used much more frequently by smartphone users than is Bluetooth.

Particularly popular in this context is geofencing, i.e. location-based marketing. For example, the potential customer receives offers via push message as soon as they enter a virtually defined area (usually in the immediate vicinity of a shop). However, the technical prerequisite is that the customer uses the retailer’s app, shares their location and allows push notifications. A top topic for all sectors.

The use of geofencing requires compliance with a few aspects of data protection law. Above all, any data processing requires a basis in data protection law. To be considered here are, on the one hand, consent under Article 6(1)(a) of the GDPR and the retailer’s legitimate interests, but also the conclusion of a contract:

1. Consent

Obtaining consent in compliance with the law when processing location-related data is by no means an easy undertaking. Therefore, consent in accordance with Article 7 of the GDPR is only deemed to be valid if it has been given voluntarily, in a specific case, after sufficient information and without ambiguity. In practice, this means that the individual processing steps must be recorded in as much detail as possible so that the customer knows precisely what is happening to their data. Furthermore, this information must be directly (temporarily) associated with the granting of consent. If a data subject gives their consent, they must also be entitled to revoke it at all times. This leads to an increased organisational effort on the part of the processor.

2. Legitimate interests

The path through the legitimate interests in accordance with Article 6(1)(f) of the GDPR is simpler and less time-consuming. For example, controllers can justify the planned data processing or the use of geofencing by invoking overriding legitimate interests. In this context, a trade-off must be made between the interests of the retailer in the use and the interests of the data subject worthy of protection. If the former predominate, the use of geofencing is justified from a data protection viewpoint and is therefore permissible without the need for consent. If the personal data is also pseudonymised, this will in principle have an effect within the scope of the balance of interests in favour of the controller. It also limits the number of addressees to existing customers.

3. Contract

However, the greatest legal certainty is provided by the conclusion of a contract as per Article 6(1)(b) of the GDPR. The installation of many apps regularly includes the conclusion of a service contract. Should a company (also) intend to individualise the users with the help of geofencing and its in-house app in order to be able to create profiles, it is recommended that this data processing be explicitly included in the contract as part of the service.

Depending on the app design, the processing is to be described either as an integral part of the services or as an additional service. In this way, for example, the use of geofencing and the creation of a user profile become part of the contract.

The benefits for the app user should be emphasised, but without concealing any further analysis: above all, individualisation enables the company to import tailored offers and coupons, for example, but also to improve its own services and marketing measures through evaluation of the profiles.

The guarantee of transparency is of particular importance to the validity of the contract in this context. Information about the planned data processing should therefore be provided separately, in as much detail as possible and in language which can be easily understood. For this reason, inclusion in the General Terms and Conditions (GTC) is prohibited.

No matter what legal basis a company chooses, working with pseudonymised data is always desirable, as its abuse is much more difficult. In addition, companies also fulfil the data protection principle “privacy by design” in this way and it is easier for customers to develop trust in the technology used.

In addition to the aspects of data protection law, it should also be taken into account that, depending on the design, geofencing may also be “unfair” within the meaning of the German Act against Unfair Competition (UWG). In this way, geofencing zones are set up not only in and around individual shops, but also in the immediate area of the competitor’s branches. From when this is to be qualified as a deliberate obstruction as per section 4 (4) of the UWG has not yet been judicially clarified. Qualification as an unfair enticement of customers is also conceivable.

Retailers should ask themselves the following questions when introducing new technologies:

  • Does use of the technology require the processing of personal data?
  • Is it also possible to use the technology with pseudonymised or even anonymised data (does the latter already open the scope of the GDPR)?
  • What is the legal basis for the processing?
  • What are the specific requirements given by the relevant legal basis?
  • Can these requirements be fulfilled within the scope of the use of the technology?
  • Are customers comprehensively and transparently informed about processing operations?
  • Can fulfilment of the rights of the data subjects be guaranteed (right of access, right of erasure etc.)?
  • Is the use of the new technology likely to result in a high risk to the rights and freedoms of natural persons?
  • Is it possible that the actual use of the technology may be qualified as “unfair” within the meaning of the UWG?
  • What measures are required in order to avoid such a qualification?

GDPR as a brake on innovation for technological developments?

The central question now arising is: Does the GDPR kill off innovations such as geofencing? If you ask company management, the answer is often “yes” due to the increased costs. The Chairman of Bitkom also warns: “If we take data protection too far, we will impede the use of artificial intelligence.”

Anyway, the fact is that geofencing is not possible without the processing of location data. However, the fact is also that the GDPR regulates the processing and use of personal data. In this respect, there are definitely restrictions to the use of innovations. In turn, this means that controllers may have to seek out new solutions which comply with data protection until new technology can be used without hesitation – a loss of time.

The claim that the GDPR is a brake on innovation is absolutely warranted in certain cases, but it is definitely not an innovation killer. The GDPR may even stimulate innovation.

This is illustrated by the following example:

In the event of a request for erasure as per Article 17 of the GDPR, the controller must completely delete all personal data of a data subject (with the exception of data for which there is a retention obligation).
If AI is used which is fed with large quantities of personal data, this erasure obligation certainly also affects the AI used. It must therefore learn to “forget”.
This is not an easy task, particularly if it is a so-called “black box”. A black box refers to when individual decisions of the AI or the criteria on which the decisions are based due to independent further development of the algorithm by the AI can no longer be (completely) simulated.
For the fulfilment of the erasure obligations, it is therefore indispensable to be able to keep apart and separate individual data records without compromising the (new) algorithm. Smart minds are needed here to facilitate such erasure without hindering the use of AI.


Retailers certainly face a number of challenges when it comes to using new technologies such as geofencing or artificial intelligence. The use of personal location data, as is the case with geofencing, must therefore be well thought out. In addition to consent as a legal basis, the processing of personal data may also be based on legitimate interests, depending on the individual case. In practice, however, the most relevant option is likely to be via a contract, as this offers most legal certainty.

The GDPR has recently brought data protection law to the attention of the public. Customers are becoming more and more cautious regarding the disclosure of their data. For this reason, retailers should prioritise the subject and invest in the building of trust by providing transparent information about all relevant data processing processes. This approach may turn out to be a competitive advantage and data protection itself may become a marketing measure. This is why Tim Cook (CEO Apple) is also calling for stricter data protection regulations, because this is the only way to strengthen customers’ confidence in new products.

The GDPR sometimes actually slows down technical progress, but it does not prevent it. There is only a delay. However, this delay should be worth the protection of personal data and the loyalty of our customers.


Subscribe to our monthly newsletter with information on judgments, professional articles and events (currently only in german).

By clicking on "Subscribe", you consent to receive our monthly newsletter (with information on judgments, professional articles and events) as well as to the aggregated usage analysis (measurement of the opening rate by means of pixels, measurement of clicks on links) in the e-mails. You will find an unsubscribe link in each newsletter and can use it to withdraw your consent. You can find more information in our privacy policy.