The EU General Data Protection Regulation (GDPR) defines the way that organisations and businesses should collect, control and process personal data. Its goal is to ensure that there is a balanced relationship between the rights of the individual and those who process their personal data, ensuring that the needs of the digital economy in Europe are enhanced through the seamless transfer of personal information in a protective environment.
When it comes to queue management software that enables walk-in customers to join a digital queue to receive updates about their queue status while they wait, the collection of customer and employee data to communicate with customers about their service within your business is key to using the software’s core capabilities.
This pack is designed to ensure retailers understand how they should use Qudini’s virtual queuing system to manage customer data in compliance with GDPR requirements. The pack also explains the specific features we have created to support you in ensuring GDPR compliance.
Download the GDPR compliance with Qudini pack.
Below is some useful information on how to remain GDPR compliant when using a queuing app, with some high-level
information on the requirements of GDPR. It should not be regarded as legal advice – we recommend you seek your own professional legal counsel for any advice on how to collect, process and manage personal data in compliance with GDPR.
What data does a queue management system collect?
Customers can enter a queue management system through a number of methods, including the web, by QR code, by SMS,
through a self-service kiosk or via a member of staff.
The specific data a queue management system collects depends entirely on you. Within Qudini’s settings platform, you can configure which data capture fields you wish to enable/disable across your online and store associate interfaces.
The personal data that you might request from a customer might include their:
- Name – to greet the customer by name throughout their visit.
- Email – to send email reminders to the customer and a post visit survey.
- Phone number – to send SMS updates to the customer with their queue information and any ad hoc template messages your team might choose to send.
- Postcode – to analyse customer demographics.
- IP address – to analyse traffic and customer demographics.
- Customisable questions – we also have a feature to fully customise questions to ask customers to understand more about them and their visit plans.
When do you need customer consent?
The lawful basis for collecting customer data under GDPR is that the processing of customer personal data is necessary to provide services under your contract with the customer, meaning there is no need to obtain consent.
Because you are capturing customer data for the purposes of providing information about a transaction that the customer has requested, consent under GDPR is not required to send the customer messages about their queue status. Your privacy policy must be made available for the customer to view and different rules apply if you want to send marketing content to the customer.
Despite consent not being required, Qudini has the functionality to enable you to require customer consent if you wish to take additional precautions.
Do you need customer consent to send marketing communications?
You cannot use the customer’s personal data collected for marketing purposes, (for example sending the customer information about products, unrelated services to that which the customer has indicated they are visiting for, or discounts) unless they have separately opted-in for this purpose. If you do want to send marketing communications, it is possible within Qudini to provide a separate option to opt-in for marketing communications.
If this is used, your privacy policy must state how the data will be used. It also needs to be possible to opt-out of the marketing messaging at any point. If a customer opts-in or out of marketing content within the virtual queuing experience, this should undertake the applicable action for your entire company/marketing database. Integration with your company CRM system is therefore required to make this feature work in compliance with GDPR standards.
Your privacy and cookie policy should be visible
Before providing their personal data, even for transaction purposes, a customer should have the option to view your privacy policy before you process their personal data. It should contain the information required by article 13 of GDPR, including a description of how personal data will be processed. It should also list the queue management software provider as a processor of their data.
Qudini’s join queue interface settings include the capability to link to your company’s online privacy policy for the customer to read if they would like to. For customers being manually added to the queue by staff members, it would be best to keep a physical copy of your privacy policy in a folder for customers to read if they request to. In addition, providing customers with a piece of paper with a URL/QR code link to your online privacy policy may also be of use (especially during Covid-19).
The standard Qudini join the queue interfaces use Cookies for the purposes of providing you with Google Analytics-style data on your customers’ geographic location, devices used and referrer site. As a result, the Qudini Cookie policy is made visible to all customers using our online interfaces to join the queue.
GDPR standards recommend that you explain to customers why you are collecting certain pieces of information about them. As a result, on the ‘enter details’ page of the Qudini join queue interfaces we allow you to enable ‘information’ buttons next to each data field. When a customer clicks on any of these they can then read information as to why each piece of data is being requested.
Can you communicate with customers via SMS or email?
When communicating with customers, it’s important that all customer messages should only include transaction/service information.
Qudini offers a variety of features that enable you to automatically communicate with customers about their intended service within your business. This includes SMS, email and a personalised weblink that displays the customer’s real-time queue status.
Because customer data is collected primarily for ‘transaction’ purposes, it is appropriate to use these communication channels only to provide your customers with informative messages about their intended service (this can include their queue status, advisor and any information they have requested). These SMS messages, emails and real-time customer weblinks must not include marketing content within them (such as information about products, unrelated services to that which the customer is waiting for, or discounts) unless the customer has explicitly opted in to receive these kind of marketing communications when they provided their details. Any marketing opt-in button must be disabled by default, providing the customer with the option to actively opt-in should they wish to.
SMS messages
Template SMS – Qudini offers the ability to set-up template SMS and email messages that your store associates can manually trigger to customers at any point during their visit.
Free hand SMS – It is also possible for store associates to free-hand message customers. This feature by default is disabled.
Under GDPR standards, these Qudini SMS features can be used for the following transaction focussed purposes (without requiring specific consent from the customer):
- To manage customer expectations – around their visit with additional queue position information. This is fine as long as the messages do not include promotional content.
- To provide customers with product or service information requested by the customer on an individual and ad-hoc basis – in this situation, this amounts to marketing content, but this is fine to do on an ad hoc basis if the customer has asked for specific information for a single message. Sending out further marketing communications to the customer would require them to fully optin.
We recommend that you fully brief your store associates on the difference between transaction content and marketing content before enabling these features.
Follow-up messages and surveys
Qudini offer the capability to send customers follow-up SMS or email messages after their visit. You may wish to use this feature for a variety of purposes as suggested below, alongside how to use these capabilities within the standards of GDPR without requiring specific consent from the customer:
- Thank you for visiting message – This is fine as long as the message does not link to any marketing material.
- Survey feedback – This is fine as long as the survey is used for genuine feedback or market research purposes, not for marketing purposes.
- Service information – You may choose to include notes about your customer’s visit and transaction. This is fine as long as the message does not include marketing messaging and promotional content beyond that which the customer has requested you to send on an ad-hoc basis pertaining to their specific visit.
Can you ask customers to complete questions in the virtual queue?
Qudini offers the ability to customise questions that customers are requested to respond to when joining the queue, whether by online or through a staff member. You may choose to use these questions to capture additional information about the customer. This is fine as long as you reference the new type of data collected within your privacy policy and have a clear purpose for requiring this data.
You cannot collect sensitive personal data without an exemption. Sensitive personal data is a data subject’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health status, sex life, trade union membership, financial background, criminal background, genetic data or biometric data. Under Article 9 of GDPR, sensitive personal data can only be processed if an exemption applies. An exemption will apply if you have explicit consent; or, where you are working in the health sector, you are collecting personal data for medical diagnosis or treatment. There are other exemptions, too, but care should be taken and you should check that they apply to you.
How should customer data from a queuing system be stored?
As the data controller, it is your decision as to how long customer data should be stored within the queuing system. Qudini’s platform enables you to easily configure how long after a customer’s visit their personal data (phone, email, notes, question responses) will be stored (whether a matter of hours, days or months).
Our default setting is that customer data is deleted immediately after their transaction has finished, but some retailers store customer data for a certain period due to compliance requirements and others import data into their CRM to support customer loyalty and clienteling. This seamless automated deletion of data enables you to easily ensure that all data is retained within the timeframes agreed within your company privacy policies, without the need to consistently manage this data deletion.
Even if your customer’s personal identifiable data is deleted (such as name, mobile number, email address) Qudini will still retain generic data about their visit such as wait time, advisor service information, product interest, outcomes and beyond for the benefit of providing you with rich analytics about your business.
Requests from customers for personal data
Under GDPR, a customer has the right to require you to provide them with the personal data you hold about them; they also have the right, in certain circumstances, to ask you to delete their personal data. To support the seamless performance of this request across your business, Qudini has created a portal that will enable your head office team to easily search for customer records and to delete that individual customer’s data from our database. Most clients do not need to make use of this feature within Qudini because they have enabled the setting to delete customer data on a scheduled basis within a matter or hours, days or months after their service has been completed.
