Supermarkets: destroying customer data
A supermarket processes far more personal data than most owners think. Loyalty and savings cards link purchases to a name, cameras film every customer, receipts and return slips roll out of the printer all day and the delivery arm keeps addresses and order history. On top of that comes the staff, with files and applications. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The short answer runs as follows. Invoicing and administration you keep for seven years because of the tax retention obligation. Loyalty profiles, CCTV footage and delivery data you keep only while there is a purpose and clear out afterwards. What may go disappears confidentially and with a certificate as proof.
Two kinds of data in the shop
In a supermarket two kinds of data run together. On one side stands the administration you must keep by law, such as invoices and payroll records. On the other side stands the data you collect to run the shop, from loyalty profiles to CCTV footage. For the first group a minimum period applies, for the second a maximum instead. You may not keep it longer than the purpose requires.
So treat the data per type. A receipt has a different status than a customer profile from the savings programme or an application letter. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the moment the purpose lapses.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Loyalty and savings-card profiles | While participation runs | purpose-bound |
| CCTV footage | Storage limitation | often around 4 weeks |
| Application data | Clear out after rejection | 4 weeks, or 1 year with consent |
| Delivery and online-order data | Until settlement and tax | purpose-bound + 7 years |
| Receipts and return slips | Thermal paper, fades | until settlement |
Use this as a guideline, not a substitute for your own assessment per situation. A full overview by document type is in the GDPR retention periods cheatsheet. The tax side is leading for your administration.
Loyalty and savings-card data
A savings programme or loyalty card turns anonymous purchases into a profile with a name, email address and purchase history. That is valuable for the shop, but it is also a collection of personal data with a clear purpose. As long as the customer takes part you have a ground to keep the profile. If the customer cancels or the programme ends, that ground lapses and you clear out the linked data.
Watch the single forms with which customers sign up. Those enrolment cards with a name, address and signature sometimes sit in a drawer at the customer-service desk for months. Collect them in a sealed container as soon as they are processed and have them destroyed confidentially. A stack of completed enrolment cards in the paper bin is a data breach you could easily have prevented.
Personnel and application data
A supermarket often has a lot of staff, with high turnover among shelf-stackers and checkout workers. As a result application letters, copies of diplomas and contracts pile up quickly. Application data from rejected candidates you clear out within four weeks, or within a year if the candidate gives consent. For staff who join, the personnel file applies with its own periods after leaving.
How long you keep which part of a file is set out in the guide on the personnel file and its retention period under the GDPR. Whatever passes the period does not belong in the paper bin but in a sealed container for confidential destruction.
CCTV footage in the shop
Almost every supermarket is full of cameras against theft and for safety. That footage is personal data, because customers and staff are recognisable on screen. The main rule is storage limitation. You keep the footage as briefly as possible, in practice often around four weeks, unless a concrete incident justifies keeping it longer. After that the system overwrites or erases the footage automatically.
The period and the way you erase footage tidily are in the guide on the retention period and destruction of CCTV footage. Do not forget the hardware. An old recorder, a replaced hard drive or a phased-out NVR still holds footage and should be destroyed confidentially, not sold or thrown away.
Receipts and return slips on thermal paper
The till produces receipts all day. Customer copies leave through the door, but the shop copies of returns, deposits and card payments stay behind. Many of those slips are on thermal paper, which is sensitive and fades over time. They often contain more than you think, from card details to an address on a return. How you handle this paper safely is covered in the guide on thermal paper, receipts and boarding passes.
Keep these slips only as long as you need them for settling a return or a dispute. Collect the rest in a sealed container and have them destroyed confidentially. Thermal paper does not belong single in the paper bin, because the data may still be legible.
Delivery and online-order data
More and more supermarkets deliver or offer online ordering. That brings in a webshop-like volume of data, with a name, address, order history and sometimes payment data. Packing slips and delivery lists with addresses roll out of the printer and often end up on a pile after the round. You handle this data just as in a webshop. The guide on a webshop and destroying customer data shows how to control that paper volume and the digital side.
Keep delivery data until the order has been settled and no complaint is in play. The payment side falls under the tax seven years, the single packing and delivery slips you clear out shortly after the round. Collect them sealed and have them destroyed confidentially.
How to handle it in 6 steps
- Split the data into administration, loyalty, CCTV, staff and delivery.
- Attach a period to each type and record when the purpose lapses.
- Limit CCTV footage to the agreed period and erase automatically afterwards.
- Clear out applications on time and keep personnel files for the period.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Shop data is destroyed confidentially, because it contains customer, payment and staff data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old till server, a camera recorder or a backup with customer profiles belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Leaving enrolment cards lying around. Completed loyalty cards belong in a sealed container after processing.
- Keeping CCTV footage forever. Without an incident the short storage period applies.
- Keeping applications too long. After four weeks the ground lapses without consent.
- Throwing thermal slips in the paper bin. The data may still be legible.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a supermarket keep loyalty and savings-card data?
As long as the savings programme runs and the customer takes part you have a ground. If a customer cancels or the programme ends, you clear out the linked data. The underlying invoicing falls under the seven-year tax retention obligation, the personal profile data you keep no longer than necessary.
What do I do with CCTV footage from the shop?
You keep CCTV footage as briefly as possible, often around four weeks, unless an incident justifies keeping it longer. After that you overwrite or erase the footage. Old recording equipment or hard drives with footage you have destroyed confidentially.
How long do I keep application data from shop staff?
Application data from rejected candidates you clear out within four weeks, or within a year with consent. Personnel files of employees have their own periods after leaving. What may go you have destroyed confidentially.
How do I destroy shop data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and stay that way until destruction. You record the destruction in the record of processing as proof.
Conclusion
A supermarket works with customer, payment, CCTV and staff data at once, between a tax retention obligation and the GDPR's storage limitation. Keep the administration seven years, keep loyalty profiles only while the customer takes part and limit CCTV footage to the short period. Applications and delivery slips you clear out as soon as the purpose lapses. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect the data of your customers and staff.
Read also: wholesalers: destroying customer data, telecom shops: destroying customer contracts, electronics stores: destroying customer data and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.